automattic — Vulnerabilities & Security Advisories 58

Browse all 58 CVE security advisories affecting automattic. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Automattic operates as a software development company best known for creating WordPress, the widely used content management system powering a significant portion of the web. Its core business involves maintaining and distributing this open-source platform, alongside related services like hosting and e-commerce solutions. Historically, the organization has faced numerous security challenges, with 58 Common Vulnerabilities and Exposures (CVEs) recorded to date. These incidents predominantly involve remote code execution, cross-site scripting, and privilege escalation flaws, often stemming from the complex plugin and theme ecosystem rather than the core software itself. While major data breaches have not been widely publicized, the sheer volume of vulnerabilities highlights the risks associated with its extensive third-party integrations. The company continues to address these issues through regular updates and security advisories, aiming to mitigate the attack surface inherent in its decentralized development model.

CVEs 58

CVE ID	Title	CVSS	Severity	Published
CVE-2024-35777	WordPress WooCommerce plugin <= 8.9.2 - Content Injection vulnerability — WooCommerceCWE-74	3.5	Low	2024-07-09
CVE-2024-37474	WordPress Newspack Ads plugin <= 1.47.1 - Cross Site Scripting (XSS) vulnerability — Newspack Ads	6.5	Medium	2024-07-04
CVE-2024-37476	WordPress Newspack Campaigns plugin <= 2.31.1 - Cross Site Scripting (XSS) vulnerability — Newspack Campaigns	6.5	Medium	2024-07-04
CVE-2024-32111	WordPress core < 6.5.5 - Auth. Arbitrary .html File Read (Windows Only) vulnerability — WordPressCWE-22	5.0	Medium	2024-06-25
CVE-2024-31111	WordPress Core < 6.5.5 - Cross Site Scripting (XSS) vulnerability — WordPressCWE-79	6.5	Medium	2024-06-25
CVE-2023-47788	WordPress Jetpack plugin < 12.7 - Contributor+ Broken Access Control vulnerability — JetpackCWE-862	4.3	Medium	2024-06-19
CVE-2024-34766	WordPress ChaosTheory theme <= 1.3 - Cross Site Scripting (XSS) vulnerability — ChaosTheoryCWE-79	6.5	Medium	2024-06-03
CVE-2024-4392	Jetpack – WP Security, Backup, Speed, & Growth <= 13.3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via wpvideo Shortcode — Jetpack – WP Security, Backup, Speed, & GrowthCWE-79	6.4	Medium	2024-05-14
CVE-2024-34549	WordPress WP Job Manager plugin <= 2.2.2 - Sensitive Data Exposure vulnerability — WP Job ManagerCWE-200	5.3	Medium	2024-05-09
CVE-2023-47774	WordPress Jetpack plugin < 12.7 - Auth. Iframe Injection vulnerability — JetpackCWE-1021	5.4	Medium	2024-04-24
CVE-2023-52211	WordPress WP Job Manager plugin <= 2.0.0 - Broken Access Control vulnerability — WP Job ManagerCWE-862	5.3	Medium	2024-04-12
CVE-2024-22155	WordPress WooCommerce plugin <= 8.5.2 - Cross Site Request Forgery (CSRF) vulnerability — WooCommerceCWE-352	4.3	Medium	2024-04-07
CVE-2023-50875	WordPress Sensei LMS Plugin <= 4.17.0 is vulnerable to Cross Site Scripting (XSS) — Sensei LMS – Online Courses, Quizzes, & LearningCWE-79	6.5	Medium	2024-02-12
CVE-2023-52222	WordPress WooCommerce Plugin <= 8.2.2 is vulnerable to Cross Site Request Forgery (CSRF) — WooCommerceCWE-352	4.3	Medium	2024-01-08
CVE-2023-51503	WordPress WooCommerce Payments Plugin <= 6.6.2 is vulnerable to Insecure Direct Object References (IDOR) — WooPayments – Fully Integrated Solution Built and Supported by WooCWE-639	5.9	Medium	2023-12-31
CVE-2023-50879	WordPress WordPress.com Editing Toolkit Plugin <= 3.78784 is vulnerable to Cross Site Scripting (XSS) — WordPress.com Editing ToolkitCWE-79	6.5	Medium	2023-12-29
CVE-2023-35915	WordPress WooCommerce Payments Plugin <= 5.9.0 is vulnerable to SQL Injection — WooPayments – Fully Integrated Solution Built and Supported by WooCWE-89	7.6	High	2023-12-20
CVE-2023-35916	WordPress WooCommerce Payments Plugin <= 5.9.0 is vulnerable to Insecure Direct Object References (IDOR) — WooPayments – Fully Integrated Solution Built and Supported by WooCWE-639	7.5	High	2023-12-20
CVE-2023-49828	WordPress WooCommerce Payments Plugin <= 6.4.2 is vulnerable to Cross Site Scripting (XSS) — WooPayments – Fully Integrated Solution Built and Supported by WooCWE-79	6.5	Medium	2023-12-14
CVE-2023-45050	WordPress Jetpack Plugin <= 12.8-a.1 is vulnerable to Cross Site Scripting (XSS) — Jetpack – WP Security, Backup, Speed, & GrowthCWE-79	6.5	Medium	2023-11-30
CVE-2023-47777	WordPress WooCommerce and WooCommerce Blocks plugins - Auth. Cross-Site Scripting (XSS) vulnerability — WooCommerceCWE-79	6.5	Medium	2023-11-30
CVE-2022-3342	Jetpack CRM <= 5.3.1 - Cross-Site Request Forgery and PHAR Deserialization — Jetpack CRM – Clients, Leads, Invoices, Billing, Email Marketing, & AutomationCWE-502	7.5	High	2023-10-20
CVE-2023-3696	Prototype Pollution in automattic/mongoose — automattic/mongooseCWE-1321	9.8	-	2023-07-17
CVE-2023-1912	Limit Login Attempts <= 1.7.1 - Unauthenticated Stored Cross-Site Scripting — Limit Login AttemptsCWE-79	7.2	High	2023-04-06
CVE-2022-2564	Prototype Pollution in automattic/mongoose — automattic/mongooseCWE-1321	9.8	-	2022-07-28
CVE-2021-24374	Jetpack < 9.8 - Carousel Module Non-Published Page/Post Attachment Comment Leak — Jetpack – WP Security, Backup, Speed, & GrowthCWE-639	5.3	-	2021-06-21
CVE-2021-24312	WP Super Cache < 1.7.3 - Authenticated Remote Code Execution — WP Super CacheCWE-94	7.2	-	2021-06-01
CVE-2021-24323	Woocommerce < 5.2.0 - Authenticated Stored Cross-Site Scripting (XSS) — WooCommerceCWE-79	4.8	-	2021-05-17

This page lists every published CVE security advisory associated with automattic. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.

Goal Reached Thanks to every supporter — we hit 100%!

automattic — Vulnerabilities & Security Advisories 58