Jetpack Users Should Update Immediately To Remove XSS Risk
Users of the popular Jetpack WordPress plugin collection should immediately update. A recently discovered cross-site scripting vulnerability may put Jetpack users at risk of having their site compromised. The vulnerability was present in Jetpack as far back as 2012. A patch that fixes the vulnerability has been released with version 4.0.3 of Jetpack. WordPress site owners who don’t update to the most recent version of Jetpack are at risk.
The vulnerability is in the Shortcode Embeds module of Jetpack. Shortcode embeds allow WordPress users to embed content from other sites into their site’s pages – they’re especially useful for quickly embedding video content. An attacker may be able to leverage a vulnerability in the way these shortcodes are handled to inject arbitrary code into WordPress pages via a carefully crafted comment.
Cross-site scripting vulnerabilities are the most common vulnerability to afflict web applications like WordPress. Web browsers are a unique category of application that allows third-parties to run arbitrary code on a computer – all that the user has to do is visit the site and HTML, CSS, and JavaScript will be executed or interpreted. There are many protections in place to prevent malicious code from running, but JavaScript that comes from the same place as the rest of the page is trusted.
If a malicious user can find a way to get their JavaScript code executed on a page, they can access all of the information the browser has about that page, including authentication cookies – if an admin visits a page with injected JavaScript designed to send her authentication cookie to the attacker, the site will almost certainly be compromised.
Normally, that’s not a problem because web developers go to great lengths to prevent anyone from injecting JavaScript into web pages. When a user is allowed to enter content that will be loaded in other browsers – comments are the classic example – it is sanitized and rendered harmless.
A cross-site scripting vulnerability occurs when there’s a flaw in the web application that allows JavaScript to be placed on the page in a form that web browsers will run. That’s exactly what happened here. By entering a carefully designed comment that uses an embed shortcode, the attacker can bypass XSS protections and have their JavaScript placed on the page.
While this is a serious vulnerability, it was patched very quickly by Jetpack’s developers. Sucuri reported the vulnerability in mid-May and a patch was released soon thereafter.
There is no evidence that the vulnerability was being actively used by attackers, but it has now been publicly disclosed by both Jetpack and Sucuri. It’s a near certainty that criminals are integrating this attack with their tools and will use it against as many WordPress sites as they can. If you haven’t already updated to Jetpack 4.0.3, I strongly recommend that you make the time to do it now.
