Volerion logoVolerion
Volerion logoVolerion

WordPress Jetpack Reflected Cross-Site Scripting Vulnerability

Vulnerability

A reflected cross-site scripting vulnerability has been identified in the WordPress Jetpack plugin, specifically in version 9.1. This vulnerability allows unauthenticated attackers to inject malicious scripts by manipulating the post_id parameter. Attackers can craft URLs to the grunion-form-view.php endpoint, embedding script payloads in the post_id parameter, which then execute arbitrary JavaScript in the browsers of affected users.

Impact

Exploitation of this vulnerability allows for reflected cross-site scripting, where an attacker can inject scripts that are executed in the context of the user's browser.

Reproduction

To reproduce this vulnerability, send a request to the grunion-form-view.php endpoint with a post_id parameter that includes a script payload, such as an alert script. This can be done by crafting a URL that targets the vulnerable endpoint and includes the malicious script in the post_id parameter.

Remediation

Users are advised to update the Jetpack plugin to version 15.8 or later, where this vulnerability has been fixed.

Added: May 10, 2026, 1:23 PM
Updated: May 10, 2026, 1:23 PM

Vulnerability Rating

Custom Algorithm
spread
7.6
impact
1.7
exploitability
7.7
remediation
0.0
relevance
8.0
threat
6.4
urgency
2.9
incentive
0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.