Stored XSS vulnerability identified in Jetpack plugin for WordPress

Any users running Jetpack 3.7 or lower are at risk of having their WordPress website being completely taken over.
Any users running Jetpack 3.7 or lower are at risk of having their WordPress website being completely taken over.

Researchers with Sucuri have identified a critical stored cross-site scripting (XSS) vulnerability in the popular Jetpack plugin for WordPress websites.

The Jetpack plugin opens up a number of features for WordPress site operators, including customisation, traffic, mobile, content and performance tools. It currently has more than a million active downloads.

The stored XSS bug puts any affected WordPress website at risk of being completely taken over. The issue was fixed earlier this week with the release of Jetpack 3.7.1 and 3.7.2, but anyone who is still running Jetpack 3.7 or lower is vulnerable.

According to a Sucuri post published on Thursday, an attacker can exploit this vulnerability by entering a specially crafted malicious email address into one of the affected WordPress website's contact form pages. The post noted that Jetpack's contact form module is activated by default.

“As the email is not sanitised properly before being output on the ‘Feedback' administrative section, the attacker could use this bug and a bit of web browser hackery to execute JavaScript code on the administrator's end, allowing them to do whatever they [want] with the site (hiding a backdoor for future exploitation of the hacked site, injecting SEO spam, etc.),” the post said.

In a Friday email correspondence, Marc-Alexandre Montpas, vulnerability researcher with Sucuri, told SCMagazine.com that Sucuri has not observed any instances of the stored XSS bug being exploited in the wild. However, he added that attackers may attempt to develop exploits now that the release is out.

According to Montpas, the bug is very easy to exploit.

“As it's a stored XSS bug, the attacker has to wait for an administrator to visit the plugin's Feedback section to silently trigger [the] attack payload,” Montpas said. “If this happens, nothing stops the malicious script from taking control of the site, which is extremely dangerous.”

Montpas noted that Jetpack 3.7.1 additionally patches a less dangerous information disclosure bug, so users should upgrade immediately even if they do not use the contact form module.