Malicious code could be injected via plug-in
Users who maintain WordPress hosted websites need to update their Jetpack plug-in to plug-up a vulnerability. The tool is a popular choice offering site optimization, security and management features. Jetpack has the same developers as WordPress.com – Automattic (they are also behind the WordPress open-source project). The plug-in has more than one million installations at present.
A cross-site scripting (XSS) vulnerability was discovered by researchers at Sucuri, and it affects Jetpack releases from v 2.0 (2012). Jetpack is a useful tool that allows users to embed external images, videos, documents, tweets, &c into the ‘site content. The element of the plug-in that manages this is located in the Shortcode Embeds module – and therein the problem lies. The flaw can be easily exploited to allow a third-party to insert bad JavaScript into comments.
Bad Java again
As JavaScript has persistence, the code will be executed in visitors’ browsers whenever the (malicious) comment is viewed. With this in code in place, hackers can redirect visitors to compromised sites, steal authentication cookies (including admin level), and reconfigure searches with optimization tools for spam purposes. A researcher for Sucuri advised, “The vulnerability can be easily exploited via wp-comments and we recommend everyone to update asap, if you have not done so yet.”
Get a patch and prevent malicious comments
Sites that are not using the Shortcode Embeds module are not susceptible to this vulnerability, though as this element of Jetpack serves such a popular function, most website will have it enabled. The developers have coordinated with WordPress security to get updates to affected versions via the central auto-update route, though users should check this has been done successfully. Jetpack v 4.0.3 onwards contains the patch. For users who want to retain their current Jetpack version, developers have issued twenty-one point releases for all branches from v2.0.7 – 3.9.7.
