Skip Ribbon Commands
Skip to main content
Computer Emergency Response Team of Mauritius (CERT-MU)
Computer Emergency Response Team of Mauritius>Stored Cross-site Scripting vulnerability identified in Jetpack plugin for WordPress

Stored Cross-site Scripting vulnerability identified in Jetpack plugin for WordPress


Security researchers have identified a critical stored cross-site scripting (XSS) vulnerability in the popular Jetpack plugin for WordPress websites. The Jetpack plugin opens up a number of features for WordPress site operators, including customization, traffic, mobile, content and performance tools. It currently has more than a million active downloads. The stored XSS bug puts any affected WordPress website at risk of being completely taken over. The issue was fixed earlier this week with the release of Jetpack 3.7.1 and 3.7.2, but anyone who is still running Jetpack 3.7 or lower is vulnerable. According to the researchers, an attacker can exploit this vulnerability by entering a specially crafted malicious email address into one of the affected WordPress website’s contact form pages. The post noted that Jetpack's contact form module is activated by default. As the email is not sanitized properly before being output on the ‘Feedback’ administrative section, the attacker could use this bug and a bit of web browser hackery to execute JavaScript code on the administrator's end, allowing them to do whatever they [want] with the site (hiding a backdoor for future exploitation of the hacked site, injecting SEO spam, etc.).
 
Source:
SC Magazine
 
Threat post
 
Disclaimer
The information provided herein is on "as is" basis, without warranty of any kind.
Contact Information
Postal address
Mauritian Computer Emergency Response Team (CERT-MU)
National Computer Board
7th Floor, Stratton Court
La Poudriere Street
Port Louis