Security experts have identified a major Jetpack plugin vulnerability that places sites in danger of attack by hackers. If you operate WordPress sites for your company and you use the Jetpack website optimization plugin, you must carry out an update as soon as possible to stop the flaw from being attacked.
The Jetpack plugin vulnerability can be used to inject malicious JavaScript code into websites, or to place links, videos, documents, images and other resources. This would put visitors to the site in danger of malware or ransomware downloads. Malicious actors could insert malicious JavaScript code in the site comments, and every time a visitor views a malicious comment it would permit JavaScript code to be run. Visitors could be redirected to alternative websites, the flaw could be used to illegally obtain authentication cookies and hijack administrator accounts, or to embed links to websites including exploit kits.
The weakness can also be used by competitors to negatively impact search engine rankings by using SEO spamming techniques, which could have significant consequences for site ranking and traffic.
The Jetpack plugin flaw was recently discovered by experts at Sucuri. The flaw is a stored cross-site scripting (XSS) vulnerability that was first seen in 2012, impacting version 2.0 of the plugin. All subsequent versions of Jetpack also include the same Shortcode Embeds Jetpack module flaw.
Jetpack is a popular WordPress plugin that was introduced by the people behind WordPress.com – Automattic – and has been downloaded and used on in excess of one million websites. This is not only an issue for website managers, but for web visitors who could easily have this vulnerability exploited to infect their computers with ransomware or malware. Weaknesses such as this emphasize the importance of using web filtering software that blocks redirects to malicious websites.
While many WordPress plugin flaws require a substantial skill level to exploit, the jetpack plugin vulnerability takes very little expertize to exploit.Luckily, Jetpack has not found any active exploits in the wild; however, now the vulnerability has been revealed, and details published online about how to exploit the vulnerability, it is only a matter of time before hackers and malicious actors target it.
The vulnerability can only be exploited if the Shortcode Embeds Jetpack module is turned on, although all users of the plugin are strongly encouraged to carry out a site update as soon as possible. Jetpack has worked with WordPress to get the update pushed out using the WordPress core update system. If you have version 4.0.3 in place, you will already be protected.
Jetpack has said that even if the vulnerability has already been exploited, updating to the latest version of the software will delete any exploits already on the website.