CVE-2022-50958: WordPress Plugin Jetpack 9.1 Cross Site Scripting via grunion-form-view.php
WordPress Plugin Jetpack 9.1 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating the post_id parameter. Attackers can craft URLs to the grunion-form-view.php endpoint with script payloads in the post_id parameter to execute arbitrary JavaScript in victim browsers.
Security readout for executives and security teams
Plain-English summary
Jetpack 9.1 for WordPress has a reflected cross-site scripting issue. An attacker can lure a user to a crafted link so JavaScript runs in that user's browser under the affected site. Business impact is usually phishing, session exposure, or action manipulation, but user interaction is required and the source bundle does not show active exploitation.
Executive priority
Treat as a near-term remediation item for public WordPress sites, especially sites with authenticated users or administrative browsing. It is not a critical emergency based on the provided evidence, but public exploit information raises practical risk if Jetpack 9.1 remains deployed.
Technical view
CVE-2022-50958 affects Jetpack 9.1 and is scored CVSS 3.1 6.1. The described flaw is reflected XSS in grunion-form-view.php through improper handling of the post_id parameter. It is unauthenticated, network-reachable, low complexity, and requires victim interaction. Scope is changed with low confidentiality and integrity impact, and no availability impact.
Likely exposure
Exposure is most likely on WordPress sites running Jetpack 9.1, especially where the grunion form view endpoint is reachable. The bundle does not identify other affected versions, CPEs, or hosting-specific conditions.
Exploitation context
The bundle includes an ExploitDB reference, so public exploit information exists. It is not listed as CISA KEV, and the provided sources do not substantiate active exploitation in the wild.
Researcher notes
Evidence is limited to the CVE description, VulnCheck advisory, ExploitDB reference, and product page. No fixed version, patch commit, or vendor advisory details are provided in the bundle. Avoid broad version assumptions beyond Jetpack 9.1.
Mitigation direction
Inventory WordPress sites and identify any Jetpack 9.1 installations.
Check Jetpack and WordPress plugin guidance for a supported fixed version.
Update or remove affected Jetpack deployments according to vendor guidance.
Temporarily reduce exposure of affected form functionality if update timing is delayed.
Validation and detection
Confirm installed Jetpack versions across production, staging, and archived WordPress sites.
Check whether grunion-form-view.php is reachable on affected sites.
Review web logs for unusual requests to grunion-form-view.php involving post_id.
Verify remediation by confirming Jetpack is no longer version 9.1.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · medium confidence lookup
CWE-79: User-session and phishing behavior lookup
Client-side and session-facing weaknesses should be reviewed alongside initial-access and user-execution behaviors. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-79 · source CWE mapping
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.