Automattic fixed a dangerous cross-site scripting (XSS) vulnerability in the Jetpack plugin affecting over one million sites that have this plugin installed.
Jetpack is a free module provided by Automattic, the makers of WordPress, which adds features found on WordPress.com on custom WordPress sites created on the top of their famous open-source CMS platform.
Not all Jetpack users are affected, but the number is high nevertheless
Security firm Sucuri discovered the Jetpack XSS issue, and they say only affects sites that have the Jetpack Shortcode Embeds module active, which comes enabled by default with all new Jetpack installations.
Shortcodes are simple shortcuts that automate certain actions, using the format: [SHORTCODE parameter="value"] . All experienced WordPress users are familiar with them, and they're crucial to WordPress customization operations, also being the reason why this Jetpack module comes enabled by default and others do not.
Sucuri says they XSS issue resides in how WordPress handles the code inside comments. An attacker could leave a shortcode inside a site's comment field in the form of < a title='[SHORTCODE]’>link text< / a > .
Because WordPress functions are a complicated jumble of code that gets loaded from different portions of the CMS core, somehow passing the shortcode inside the link's title attribute in that format escapes XSS filters and input sanitization and allows an attacker to append malicious code.
The XSS malicious payload is then stored in the site's comments database, and gets displayed for anyone viewing comments on that page.
Attackers can hijack admin accounts, insert SEO spam
XSS vulnerabilities are known to grant a skilled attacker the possibility to take over user accounts, including the main admin profile. Sucuri points out that you don't necessarily have to take over a user account, though, and attackers could simply use this XSS flaw to insert SEO spam on a site, or embed redirections that will steal Web traffic.
The Jetpack team released version 4.0.3 on May 26 to address the issue discovered and reported by Sucuri on May 12.
The Jetpack XSS vulnerability resembles a similar XSS issue Sucuri found in the bbPress WordPress forum plugin last week.
Below is the description of the Shortcode Embeds module in a WordPress test site running the Jetpack plugin.
Jetpack Shortcode Embeds module