The developers of the popular Jetpack plugin for WordPress have patched a critical vulnerability that allows malicious actors to attack website administrators.
Jetpack, a plugin with more than one million active installs, provides WordPress website administrators tools needed for customization, security, traffic, and performance.
According to Sucuri, Jetpack 3.7 and earlier are plagued by a stored cross-site scripting (XSS) vulnerability that affects the plugin’s contact form module, which is activated by default.
An attacker can exploit the vulnerability by entering malicious JavaScript code into the email address field of the targeted website’s contact form.
“As the email is not sanitized properly before being output on the ‘Feedback’ administrative section, the attacker could use this bug and a bit of web browser hackery to execute JavaScript code on the administrator’s end, allowing them to do whatever they wants with the site (hiding a backdoor for future exploitation of the hacked site, injecting SEO spam, etc.),” Sucuri vulnerability researcher Marc-Alexandre Montpas explained in a blog post.
Montpas has pointed out that Jetpack uses some filters and functions to sanitize email addresses and ensure that they are valid. However, experts have managed to bypass the constraints by leveraging various tricks, such as inserting slashes between attributes and replacing semicolons with the equivalent HTML decimal code (;).
Sucuri noted that unlike the less dangerous reflected XSS, which requires the attacker to trick the victim into clicking on a specially crafted link, stored XSS flaws are far more serious since they allow the attacker to insert malicious code into the targeted website and the code gets executed as soon as a user visits the page containing it.
This XSS vulnerability was addressed last week by the developers of the Jetpack plugin with the release of version 3.7.1. Users are advised to update their installations to version 3.7.1 or later.
Earlier this year, Sucuri warned users of Jetpack and other popular WordPress plugins and themes about a security hole in the genericons icon font package. WordPress plugins and themes using this package were exposed to XSS attacks due to a vulnerability in the package’s example page.

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- macOS 14 Sonoma Patches 60 Vulnerabilities
- New GPU Side-Channel Attack Allows Malicious Websites to Steal Data
- Microsoft Adding New Security Features to Windows 11
- Sony Investigating After Hackers Offer to Sell Stolen Data
- 900 US Schools Impacted by MOVEit Hack at National Student Clearinghouse
- Predator Spyware Delivered to iOS, Android Devices via Zero-Days, MitM Attacks
- China’s Offensive Cyber Operations in Africa Support Soft Power Efforts
- SANS Survey Shows Drop in 2023 ICS/OT Security Budgets
Latest News
- Chinese Gov Hackers Caught Hiding in Cisco Router Firmware
- CISA Unveils New HBOM Framework to Track Hardware Components
- Gem Security Lands $23 Million Series A Funding
- Misconfigured TeslaMate Instances Put Tesla Car Owners at Risk
- Firefox 118 Patches High-Severity Vulnerabilities
- Stolen GitHub Credentials Used to Push Fake Dependabot Commits
- Google Open Sources Binary File Comparison Tool BinDiff
- macOS 14 Sonoma Patches 60 Vulnerabilities
