Jetpack Users Should Update Immediately To Remove XSS Risk
Users of the popular Jetpack WordPress plugin collection should immediately update. A recently discovered cross-site scripting vulnerability may put Jetpack users at risk of having their site compromised. The vulnerability was present in Jetpack as far back as 2012. A patch that fixes the vulnerability has been released with version 4.0.3 of Jetpack. WordPress site owners who don’t update to the most recent version of Jetpack are at risk.
The vulnerability is in the Shortcode Embeds module of Jetpack. Shortcode embeds allow WordPress users to embed content from other sites into their site’s pages – they’re especially useful for quickly embedding video content. An attacker may be able to leverage a vulnerability in the way these shortcodes are handled to inject arbitrary code into WordPress pages via a carefully crafted comment. Read More »