Malicious code could be injected via plug-in
Users who maintain WordPress hosted websites need to update their Jetpack plug-in to plug-up a vulnerability. The tool is a popular choice offering site optimization, security and management features. Jetpack has the same developers as WordPress.com – Automattic (they are also behind the WordPress open-source project). The plug-in has more than one million installations at present.
Bad Java again
Get a patch and prevent malicious comments
Sites that are not using the Shortcode Embeds module are not susceptible to this vulnerability, though as this element of Jetpack serves such a popular function, most website will have it enabled. The developers have coordinated with WordPress security to get updates to affected versions via the central auto-update route, though users should check this has been done successfully. Jetpack v 4.0.3 onwards contains the patch. For users who want to retain their current Jetpack version, developers have issued twenty-one point releases for all branches from v2.0.7 – 3.9.7.