Saturday, 28 May 2016

[Security Advisory] Stored XSS in JetPack

Real People. Real Security.

Security Advisory: Stored XSS in JetPack

We are reaching out to you today to alert you to a vulnerability that has the potential to impact websites utilizing the JetPack plugin. We feel it is our responsibility to keep our community informed and, as always, we are happy to answer your questions.

During regular research audits of the Sucuri Firewall (Cloud-based WAF),we discovered a stored XSS vulnerability affecting the WordPress Jetpack plugin, currently installed on more than a million active sites.

Security Risk: Medium

Exploitation Level: Easy/Remote

DREAD Score: 6/10

Vulnerability: Stored XSS

Patched Version: 4.0.3

The security bug is located in the Shortcode Embeds Jetpack module, so if you don't have it activated on your site you're not affected by this issue. An attacker can exploit this vulnerability by leaving a comment containing a carefully positioned shortcode to inject malicious Javascript code on the vulnerable website.

As it is a Stored Cross-Site Scripting (XSS) vulnerability, it could allow an attacker to hijack administrator accounts, inject SEO spam to the affected page, and redirect visitors to malicious websites.

Learn more about XSS vulnerabilities and how they can affect your website.

Read More About This Security Disclosure
Websites behind the Sucuri Firewall have been protected against this threat
via our Virtual Hardening / Patching technology. 

If you don't have our Website Application Firewall enabled, sign up now below!
Protect Your Website Now!
This email does not mean you are affected!

Being proactive in the protection of your site is of one of the most important aspects of having a solid security posture. Therefore, we feel it's important to research and report on all potential threats as quickly as possible.
Below is a video we recently produced which explains
How Websites Get Hacked
Sucuri Webinar: How Websites Get Hacked
- Your Sucuri Security Team
Sucuri Labs
Sucuri Labs
Copyright © 2016 Sucuri Security, All rights reserved.
The user subscribes to this list to stay current with the latest in security news.

Our mailing address is:
Sucuri Security
30141 Antelope RD
Suite D, #680
Menifee, CA 92584

Add us to your address book

unsubscribe from this list    update subscription preferences