Vulnerability fixed in Jetpack 4.0.3. Severity: 6.1 (Medium)
By Mark Maunder for WordFence. Original here.
An XSS vulnerability has been fixed in Jetpack version 4.0.3 which was released yesterday. If you haven’t automatically been updated to Jetpack 4.0.3 please update immediately. The CVSS score we have calculated for this vulnerability is 6.1 (Medium).
If you are running the Wordfence firewall, we have verified with our own proof-of-concept attack that you are already protected against this exploit.
Jetpack parses HTML looking for objects like Vimeo links. If it finds a Vimeo link or similar object it tries to be helpful and turn it into the Vimeo embedded video code. The trouble with the vulnerable version of Jetpack is that it doesn’t check if the link isn’t already surrounded by potentially malicious HTML tags.
The attack that this vulnerability enables is a stored cross site scripting attack or ‘stored XSS’. It allows an attacker to include malicious javascript in comments which execute within site visitor and site owner’s web browsers.
The fix released by the Jetpack team enhances the filtering that is performed on incoming comments.
The Akismet team has already released a fix for this which prevents malicious comments from being posted. They are filtering out comments that contain the malicious payload that exploits this vulnerability.
The WordPress security team are pushing security hotfixes that will fix this issue. This issue affects the following versions of Jetpack: Versions: 2.0.7, 2.1.5, 2.2.8, 2.3.8, 2.4.5, 2.5.3, 2.6.4, 2.7.3, 2.8.3, 2.9.4, 3.0.4, 3.1.3, 3.2.3, 3.3.4, 3.4.4, 3.5.4, 3.6.2, 3.7.3, 3.8.3 and 3.9.7.
If you are using Wordfence firewall (free or paid) you are already protected against this exploit because Wordfence has built in protection against stored XSS attacks.
If you haven’t updated to Jetpack 4.0.3 then please update now.
Jetpack have posted a detailed blog post about the vulnerability.
They have also included a helpful FAQ.
MyWordPress recommends WordFence Premium for every website. We assist with pre-installation testing, virus and trojan cleanup, WordFence installation and configuration setting for optimum security and live monitoring, plus we give your systems and processes a health check to ensure you’re following best practice as much as possible to keep your website protected.