On May 27, Jetpack for WordPress announced that they were releasing a critical security update to their immensely popular plugin, which brings tons of features to WordPress. According to WordPress.org, Jetpack is currently installed on over 1 million sites, with more than 25 million lifetime downloads.
Jetpack for WordPress 4.0.3: Critical Security Update
According to Carolyn Sonnek of Jetpack, “We found a vulnerability in the way that some Jetpack shortcodes are processed. This bug has existed since Jetpack 2.0, released in November 2012.”. Wait a minute…did she just say November 2012? It’s remarkable that this flaw has never been exploited in the wild, but now that this news is out, you can bet that the hackers are going to have a field day.
The good news is that if you have been using or are currently using Akismet for spam protection, you are safe from this exploit. Also, sites using VaultPress 1.8.3 are protected from this exploit. However, Carolyn recommends that you still should update Jetpack to it’s latest version.
According to Jetpack, they have patched all the vulnerable versions of the plugin; 2.0.7, 2.1.5, 2.2.8, 2.3.8, 2.4.5, 2.5.3, 2.6.4, 2.7.3, 2.8.3, 2.9.4, 3.0.4, 3.1.3, 3.2.3, 3.3.4, 3.4.4, 3.5.4, 3.6.2, 3.7.3, 3.8.3, 3.9.7, and 4.0.3. Downloads for each branch can be found here.
Sucuri Security Disclosure
Carolyn also thanked Marc-Alexandre Months of Sucuri for researching, and later, responsibly disclosing this issue. According to Marc-Alexandre, the issue deals with a stored cross-site scripting (XSS) vulnerability that can be easily exploited remotely via wp comments. He goes on recommend that everyone using Jetpack update or patch their versions immediately.
The security disclosure reveals that since it is a Cross-Site Scripting (XSS) vulnerability it could allow an attacker to hijack administrator accounts, inject SEO spam to the affected page, and redirect visitors to malicious websites.
If you would like us to help you with this update, please feel free to contact us or request a quote and one of our WordPress security experts will get back to you right away. You may also call us at +63 44 769 4023 or Skype us at dcgws_internet_solutions.