Jetpack VaultPress - Insecure deserialization
Severity pending
Summary
Full name
Jetpack VaultPress 3.0. - Insecure deserialization
Code name
State
Private
Release date
Jan 3, 2025
Affected product
Jetpack VaultPress
Affected version(s)
Version 3.0.
Vulnerability name
Insecure deserialization
Vulnerability type
Remotely exploitable
No
CVSS v4.0 vector string
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U
Exploit available
No
CVE ID(s)
Description
Jetpack VaultPress 3.0. was found to be vulnerable. Unvalidated user input is used directly in an unserialize function in myapp/vaultpress.php.
Vulnerability
Skims by Fluid Attacks discovered a Insecure deserialization in Jetpack VaultPress 3.0.. The following is the output of the tool:
Skims output
Our security policy
We have reserved the ID CVE-2025-0772 to refer to this issue from now on.
System Information
Version: Jetpack VaultPress 3.0.
Mitigation
There is currently no patch available for this vulnerability.
Timeline
Vulnerability discovered
Jan 3, 2025
Vendor contacted
Jan 3, 2025