Users of the popular Jetpack WordPress plugin collection should immediately update. A recently discovered cross-site scripting vulnerability may put Jetpack users at risk of having their site compromised. The vulnerability was present in Jetpack as far back as 2012. A patch that fixes the vulnerability has been released with version 4.0.3 of Jetpack. WordPress site owners who don’t update to the most recent version of Jetpack are at risk.
The vulnerability is in the Shortcode Embeds module of Jetpack. Shortcode embeds allow WordPress users to embed content from other sites into their site’s pages – they’re especially useful for quickly embedding video content. An attacker may be able to leverage a vulnerability in the way these shortcodes are handled to inject arbitrary code into WordPress pages via a carefully crafted comment.
While this is a serious vulnerability, it was patched very quickly by Jetpack’s developers. Sucuri reported the vulnerability in mid-May and a patch was released soon thereafter.
There is no evidence that the vulnerability was being actively used by attackers, but it has now been publicly disclosed by both Jetpack and Sucuri. It’s a near certainty that criminals are integrating this attack with their tools and will use it against as many WordPress sites as they can. If you haven’t already updated to Jetpack 4.0.3, I strongly recommend that you make the time to do it now.