Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-y2tp-9sr1-cuc1
Vulnerability ID VCID-y2tp-9sr1-cuc1
Aliases CVE-2023-2996
Summary Improper Input Validation The Jetpack WordPress plugin before 12.1.1 does not validate uploaded files, allowing users with author roles or above to manipulate existing files on the site, deleting arbitrary files, and in rare cases achieve Remote Code Execution via phar deserialization.
Status Published
Exploitability 0.5
Weighted Severity 0.0
Risk None
Affected and Fixed Packages Package Details
Weaknesses (1)
CWE-20 Improper Input Validation
System Score Found at
epss 0.03349 https://api.first.org/data/v1/epss?cve=CVE-2023-2996
epss 0.03349 https://api.first.org/data/v1/epss?cve=CVE-2023-2996
ssvc Track* https://jetpack.com/blog/jetpack-12-1-1-critical-security-update/
ssvc Track* https://wpscan.com/vulnerability/52d221bd-ae42-435d-a90a-60a5ae530663
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2023-2996
https://jetpack.com/blog/jetpack-12-1-1-critical-security-update/
https://wpscan.com/vulnerability/52d221bd-ae42-435d-a90a-60a5ae530663
CVE-2023-2996 https://nvd.nist.gov/vuln/detail/CVE-2023-2996
No exploits are available.
Vector: SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-12-05T16:47:57Z/ Found at https://jetpack.com/blog/jetpack-12-1-1-critical-security-update/
Vector: SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-12-05T16:47:57Z/ Found at https://wpscan.com/vulnerability/52d221bd-ae42-435d-a90a-60a5ae530663
Exploit Prediction Scoring System (EPSS)
Percentile 0.87562
EPSS Score 0.03349
Published At June 5, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-02T04:45:12.489000+00:00 GitLab Importer Import https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/automattic/jetpack/CVE-2023-2996.yml 38.6.0