Security researchers have discovered a serious Jetpack plugin vulnerability that places sites at risk of attack by hackers. If you run WordPress sites for your company and you use the Jetpack website optimization plugin, you must perform an update as soon as possible to prevent the flaw from being exploited.
The Jetpack plugin vulnerability can be leveraged to inject malicious JavaScript code into websites, or to insert links, videos, documents, images, and other resources. This would place visitors to the site at risk of malware or ransomware downloads. Malicious actors could embed malicious JavaScript code in the site comments, and every time a visitor views a malicious comment it would allow JavaScript code to be run. Visitors could be redirected to other websites, the flaw could be used to steal authentication cookies and hijack administrator accounts, or to embed links to websites containing exploit kits.
The flaw can also be exploited by competitors to negatively affect search engine rankings by using SEO spamming techniques, which could have serious consequences for site ranking and traffic.
Over a Million WordPress Websites Affected by the New Jetpack Plugin Vulnerability
The Jetpack plugin vulnerability was recently discovered by researchers at Sucuri. The flaw is a stored cross-site scripting (XSS) vulnerability that was first introduced in 2012, affecting version 2.0 of the plugin. All subsequent versions of Jetpack also contain the same Shortcode Embeds Jetpack module vulnerability.
Jetpack is a popular WordPress plugin that was developed by the people behind WordPress.com – Automattic – and has been downloaded and used on more than one million websites. This is not only a problem for website owners, but for web visitors who could easily have this flaw exploited to infect their computers with ransomware or malware. Flaws such as this highlight the importance of using web filtering software that blocks redirects to malicious websites.
While many WordPress plugin vulnerabilities require a substantial skill level to exploit, the jetpack plugin vulnerability takes very little skill at all to exploit. Fortunately, Jetpack has not discovered any active exploits in the wild; however, now the vulnerability has been announced, and details provided online about how to exploit the vulnerability, it is only a matter of time before hackers and malicious actors take advantage.
The flaw can only be exploited if the Shortcode Embeds Jetpack module is enabled, although all users of the plugin are strongly advised to perform a site update as soon as possible. Jetpack has worked with WordPress to get the update pushed out via the WordPress core update system. If you have version 4.0.3 installed, you will already be protected.
Jetpack reports that even if the flaw has already been exploited, updating to the latest version of the software will remove any exploits already on the website.
