XSS Vulnerability in WordPress Jetpack Plug-in Puts Over A Million WordPress Sites at Risk

wordpress-vulnerabilitySecurity firm Securi detailed a stored cross-site scripting (XSS) vulnerability found in the WordPress plug-in Jetpack, putting more than a million websites using the content management system (CMS) at risk of getting their administrator accounts hijacked. The flaw also leaves webpages open to getting injected with spam content, as well as redirecting visitors to malicious websites.

Jetpack is a popular plug-in for the WordPress CMS that provides free website optimization, security, site management and other custom tools such as CSS editing, contact forms and comments. Developed by Automattic, the web development company behind the free and open-source blog hosting service WordPress.com, the plug-in lists over one million active installations.

Sucuri’s Marc-Alexandre Montpas said that the vulnerability can be exploited via the wp-comments function of the site. In Sucuri’s advisory, Montpas wrote, “The security bug is located in the Shortcode Embeds Jetpack module [...] An attacker can exploit this vulnerability by leaving a comment containing a carefully positioned shortcode to inject malicious Javascript code on the vulnerable website.”

Shortcodes are shortcuts that automate certain tasks and streamline the user’s workflow in the Wordpress CMS. Jetpack’s shortcode module, which is used to embed media files, documents, social media content and other resources to a webpage, is enabled by default upon installation.

XSS vulnerabilities are typically found in websites and web applications that process user input such as search engines, login forms, message boards and comment fields. Attackers can exploit an XSS vulnerability by injecting and executing malicious codes and scripts to a legitimate website or web application. By leveraging XSS, the attackers can compromise the website and use it as a vehicle to deliver and spread malware via the user’s browser.

The security firm also recently reported about pirated WordPress plug-ins and themes that lead to malvertising and black hat SEO spamming after its security engineers discovered an embedded code hidden in one of their client’s websites. Upon analysis, the code was found to be loading a Javascript file from the server of GoMafia.com, a web portal that provided counterfeit Wordpress themes and plug-ins. The malicious script loads unwanted, intrusive ads that generated income for the developer, and embedded files that linked the developer’s sites from which the pirated plug-in was loaded in order to boost their search engine rankings.

Content management systems have significantly evolved over the past years. Current CMS platforms offer a feature-rich and easy-to-use system from which individual users and business can publish their digital content. LinkedIn, Bloomberg, Sony, Microsoft News Center, General Electric and Harvard University are just some of the organizations that utilize WordPress. Businesses are adopting CMS platforms to take advantage of the convenience these publishing systems provide, especially when addressing the need to make quick changes to their web content, support multiple users working collaboratively, and customize content for their visitors.

However, the vast amount of third-party components such as plug-ins, themes and custom add-ons, can make CMS platforms highly susceptible to security flaws and cyber-attacks. Cybercriminals also leverage their popularity to get quick returns by targeting and exploiting unpatched or vulnerable components of their CMS-run website.

For instance, popular CMS platform Drupal was targeted by hackers and exploited a two-year old SQL injection vulnerability (identified by Trend Micro as CVE-2014-3704) in Drupal's installations that enabled attackers to hijack the website’s main page.

SQL injections enable hackers to have access to a server's database and other devices within its network. This intrusion technique has also been used to compromise websites in order to deliver other malware. It can also be used to steal information stored on servers and databases, such as the personal and financial data of customers, or confidential documents and trade secrets of businesses.

In mid-December last year, Joomla, another major CMS platform, were the subject of attacks when hackers actively exploited a critical remote command execution vulnerability that has been affecting Joomla sites for eight years. The flaw can be used to compromise web servers and take over websites.

It was also beset by various zero-day SQL injection vulnerabilities that allowed hackers to extract administrator data in order to gain entry to restricted parts of a website’s server. 

WordPress and Joomla were also targeted by cybercriminals when websites running both CMS platforms were injected with malicious Javascript files that distributed the TeslaCrypt ransomware.

Developers of the Jetpack plug-in have worked with the WordPress security team to push updates to all affected versions through its auto-update system. In an announcement, Jetpack said, “If you’ve updated to Jetpack 4.0.3 (or a secure version listed below), you’re in the clear. This security update not only fixes this vulnerability, but also fixes any potential exploits that may have been in place prior to the update. This is why upgrading to a secure version of Jetpack as soon as possible is so important.”


Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.