The developers of the popular Jetpack plugin for WordPress have patched a critical vulnerability that allows malicious actors to attack website administrators.
Jetpack, a plugin with more than one million active installs, provides WordPress website administrators tools needed for customization, security, traffic, and performance.
According to Sucuri, Jetpack 3.7 and earlier are plagued by a stored cross-site scripting (XSS) vulnerability that affects the plugin’s contact form module, which is activated by default.
An attacker can exploit the vulnerability by entering malicious JavaScript code into the email address field of the targeted website’s contact form.
“As the email is not sanitized properly before being output on the ‘Feedback’ administrative section, the attacker could use this bug and a bit of web browser hackery to execute JavaScript code on the administrator’s end, allowing them to do whatever they wants with the site (hiding a backdoor for future exploitation of the hacked site, injecting SEO spam, etc.),” Sucuri vulnerability researcher Marc-Alexandre Montpas explained in a blog post.
Montpas has pointed out that Jetpack uses some filters and functions to sanitize email addresses and ensure that they are valid. However, experts have managed to bypass the constraints by leveraging various tricks, such as inserting slashes between attributes and replacing semicolons with the equivalent HTML decimal code (;).
Sucuri noted that unlike the less dangerous reflected XSS, which requires the attacker to trick the victim into clicking on a specially crafted link, stored XSS flaws are far more serious since they allow the attacker to insert malicious code into the targeted website and the code gets executed as soon as a user visits the page containing it.
This XSS vulnerability was addressed last week by the developers of the Jetpack plugin with the release of version 3.7.1. Users are advised to update their installations to version 3.7.1 or later.
Earlier this year, Sucuri warned users of Jetpack and other popular WordPress plugins and themes about a security hole in the genericons icon font package. WordPress plugins and themes using this package were exposed to XSS attacks due to a vulnerability in the package’s example page.

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- In Other News: Government Use of Spyware, New Industrial Security Tools, Japan Router Hack
- Apple Denies Helping US Government Hack Russian iPhones
- Zero-Day in MOVEit File Transfer Software Exploited to Steal Data From Organizations
- Russia Blames US Intelligence for iOS Zero-Click Attacks
- Cisco Acquiring Armorblox for Predictive and Generative AI Technology
- Moxa Patches MXsecurity Vulnerabilities That Could Be Exploited in OT Attacks
- Organizations Warned of Salesforce ‘Ghost Sites’ Exposing Sensitive Information
- Organizations Warned of Backdoor Feature in Hundreds of Gigabyte Motherboards
Latest News
- Insider Q&A: Artificial Intelligence and Cybersecurity In Military Tech
- In Other News: Government Use of Spyware, New Industrial Security Tools, Japan Router Hack
- OpenAI Unveils Million-Dollar Cybersecurity Grant Program
- Galvanick Banks $10 Million for Industrial XDR Technology
- Information of 2.5M People Stolen in Ransomware Attack at Massachusetts Health Insurer
- US, South Korea Detail North Korea’s Social Engineering Techniques
- High-Severity Vulnerabilities Patched in Splunk Enterprise
- Idaho Hospitals Working to Resume Full Operations After Cyberattack
