Description
WordPress Plugin Jetpack 9.1 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating the post_id parameter. Attackers can craft URLs to the grunion-form-view.php endpoint with script payloads in the post_id parameter to execute arbitrary JavaScript in victim browsers.
Published: 2026-05-10
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An attacker can cause a victim’s browser to execute arbitrary JavaScript by exploiting a reflected XSS flaw in the Jetpack 9.1 plugin. The vulnerability is triggered when an attacker supplies a crafted value for the post_id parameter on the grunion‑form‑view.php endpoint, causing the script payload to be reflected unescaped in the response. If executed, the malicious code runs in the victim’s context and could lead to credential theft, session hijacking or the ability to perform further attacks on the host system.

Affected Systems

The issue is present in the WordPress Jetpack plugin released as version 9.1, distributed by Automattic. Related CPE entries for jetpack_boost 9.1 are also affected. No other versions or products are listed as impacted.

Risk and Exploitability

The vulnerability receives a CVSS score of 5.1, indicating medium severity, and EPSS data is unavailable. The flaw is not listed in the CISA KEV catalog. The most likely attack path is the delivery of a malicious URL to a user, which can be accomplished over the public web with no special network access. Exploitation is straightforward for anyone able to navigate a legitimate site that hosts the vulnerable plugin.

Generated by OpenCVE AI on May 10, 2026 at 13:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Jetpack to the latest version that contains the XSS fix
  • Configure the web application firewall to block requests that contain scripts in the post_id parameter or that try to inject JavaScript
  • Implement input validation on the post_id parameter and ensure all output is properly escaped

Generated by OpenCVE AI on May 10, 2026 at 13:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 10 May 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Jetpack
Jetpack jetpack
Wordpress
Wordpress wordpress
Vendors & Products Jetpack
Jetpack jetpack
Wordpress
Wordpress wordpress

Sun, 10 May 2026 12:45:00 +0000

Type Values Removed Values Added
Description WordPress Plugin Jetpack 9.1 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating the post_id parameter. Attackers can craft URLs to the grunion-form-view.php endpoint with script payloads in the post_id parameter to execute arbitrary JavaScript in victim browsers.
Title WordPress Plugin Jetpack 9.1 Cross Site Scripting via grunion-form-view.php
First Time appeared Automattic
Automattic jetpack Boost
Weaknesses CWE-79
CPEs cpe:2.3:a:automattic:jetpack_boost:9.1:*:*:*:*:*:*:*
Vendors & Products Automattic
Automattic jetpack Boost
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Automattic Jetpack Boost
Jetpack Jetpack
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-10T12:12:52.940Z

Reserved: 2026-01-11T13:34:26.332Z

Link: CVE-2022-50958

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-10T13:16:33.440

Modified: 2026-05-10T13:16:33.440

Link: CVE-2022-50958

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-10T21:23:53Z

Weaknesses