Security firm Securi detailed a stored cross-site scripting (XSS) vulnerability found in the WordPress plug-in Jetpack, putting more than a million websites using the content management system (CMS) at risk of getting their administrator accounts hijacked. The flaw also leaves webpages open to getting injected with spam content, as well as redirecting visitors to malicious websites.
Jetpack is a popular plug-in for the WordPress CMS that provides free website optimization, security, site management and other custom tools such as CSS editing, contact forms and comments. Developed by Automattic, the web development company behind the free and open-source blog hosting service WordPress.com, the plug-in lists over one million active installations.
Shortcodes are shortcuts that automate certain tasks and streamline the user’s workflow in the Wordpress CMS. Jetpack’s shortcode module, which is used to embed media files, documents, social media content and other resources to a webpage, is enabled by default upon installation.
XSS vulnerabilities are typically found in websites and web applications that process user input such as search engines, login forms, message boards and comment fields. Attackers can exploit an XSS vulnerability by injecting and executing malicious codes and scripts to a legitimate website or web application. By leveraging XSS, the attackers can compromise the website and use it as a vehicle to deliver and spread malware via the user’s browser.
Content management systems have significantly evolved over the past years. Current CMS platforms offer a feature-rich and easy-to-use system from which individual users and business can publish their digital content. LinkedIn, Bloomberg, Sony, Microsoft News Center, General Electric and Harvard University are just some of the organizations that utilize WordPress. Businesses are adopting CMS platforms to take advantage of the convenience these publishing systems provide, especially when addressing the need to make quick changes to their web content, support multiple users working collaboratively, and customize content for their visitors.
However, the vast amount of third-party components such as plug-ins, themes and custom add-ons, can make CMS platforms highly susceptible to security flaws and cyber-attacks. Cybercriminals also leverage their popularity to get quick returns by targeting and exploiting unpatched or vulnerable components of their CMS-run website.
For instance, popular CMS platform Drupal was targeted by hackers and exploited a two-year old SQL injection vulnerability (identified by Trend Micro as CVE-2014-3704) in Drupal's installations that enabled attackers to hijack the website’s main page.
SQL injections enable hackers to have access to a server's database and other devices within its network. This intrusion technique has also been used to compromise websites in order to deliver other malware. It can also be used to steal information stored on servers and databases, such as the personal and financial data of customers, or confidential documents and trade secrets of businesses.
In mid-December last year, Joomla, another major CMS platform, were the subject of attacks when hackers actively exploited a critical remote command execution vulnerability that has been affecting Joomla sites for eight years. The flaw can be used to compromise web servers and take over websites.
It was also beset by various zero-day SQL injection vulnerabilities that allowed hackers to extract administrator data in order to gain entry to restricted parts of a website’s server.
Developers of the Jetpack plug-in have worked with the WordPress security team to push updates to all affected versions through its auto-update system. In an announcement, Jetpack said, “If you’ve updated to Jetpack 4.0.3 (or a secure version listed below), you’re in the clear. This security update not only fixes this vulnerability, but also fixes any potential exploits that may have been in place prior to the update. This is why upgrading to a secure version of Jetpack as soon as possible is so important.”
Like it? Add this infographic to your site: 1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).