Security Experts:

Critical XSS Flaw Patched in Jetpack WordPress Plugin

The developers of the popular Jetpack plugin for WordPress have patched a critical vulnerability that allows malicious actors to attack website administrators.

Jetpack, a plugin with more than one million active installs, provides WordPress website administrators tools needed for customization, security, traffic, and performance.

According to Sucuri, Jetpack 3.7 and earlier are plagued by a stored cross-site scripting (XSS) vulnerability that affects the plugin’s contact form module, which is activated by default.

An attacker can exploit the vulnerability by entering malicious JavaScript code into the email address field of the targeted website’s contact form.

“As the email is not sanitized properly before being output on the ‘Feedback’ administrative section, the attacker could use this bug and a bit of web browser hackery to execute JavaScript code on the administrator’s end, allowing them to do whatever they wants with the site (hiding a backdoor for future exploitation of the hacked site, injecting SEO spam, etc.),” Sucuri vulnerability researcher Marc-Alexandre Montpas explained in a blog post.

Montpas has pointed out that Jetpack uses some filters and functions to sanitize email addresses and ensure that they are valid. However, experts have managed to bypass the constraints by leveraging various tricks, such as inserting slashes between attributes and replacing semicolons with the equivalent HTML decimal code (&#59).

Sucuri noted that unlike the less dangerous reflected XSS, which requires the attacker to trick the victim into clicking on a specially crafted link, stored XSS flaws are far more serious since they allow the attacker to insert malicious code into the targeted website and the code gets executed as soon as a user visits the page containing it.

This XSS vulnerability was addressed last week by the developers of the Jetpack plugin with the release of version 3.7.1. Users are advised to update their installations to version 3.7.1 or later.

Earlier this year, Sucuri warned users of Jetpack and other popular WordPress plugins and themes about a security hole in the genericons icon font package. WordPress plugins and themes using this package were exposed to XSS attacks due to a vulnerability in the package’s example page.

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.