Jetpack vulnerability exposed!!

May 21, 2016 4:39 am Published by Leave your thoughts

As many of you are well aware, Jetpack is a utility plugin offered by WordPress.com.

I personally don’t use it because it’s heavy and I also don’t find functionalities Jetpack offer not very compelling.

jetpack-1544x500

Sucuri have found a stored cross-site scripting (XSS) vulnerability that affects all Jetpack releases since 2012, starting with version 2.0.

Apparently, the vuln is located in the Shortcode Embeds of Jetpack module which allows users to embed external videos, images, documents, tweets and other resources into their content. It can be easily exploited to inject malicious JavaScript code into comments.

Since the JavaScript code is persistent, it will get executed in users’ browsers in the context of the affected website every time they view the malicious comment. This can be used to steal their authentication cookies, including the administrator’s session; to redirect visitors to exploits, or to inject search engine optimization (SEO) spam.

XSS vulnerability doesn’t put the site at risk per se.

https://en.wikipedia.org/wiki/Cross-site_scripting

However, XSS vulnerabilities are known to grant a skilled attacker the possibility of taking over user accounts, including the main admin profile. Sucuri points out that you don’t necessarily have to take over a user account, though, and attackers could simply use this XSS flaw to insert SEO spam on a site or embed redirections that will steal Web traffic.

The Jetpack team released version 4.0.3 on May 26 to address the issue discovered and reported by Sucuri on May 12.

Tags: , ,

Categorized in:

This post was written by hackya

Leave a Reply

Your email address will not be published. Required fields are marked *