Millions of WordPress websites are again at risk due to a vulnerability found in a popular WordPress plugin, JetPack. Jetpack is a popular plugin which offers various optimizations and security features to a WordPress site. This plugin was developed by Automattic, the company behind the WordPress.
Also read: Best WordPress Tutorials
Security researchers at Sucuri found a stored XSS vulnerability in this plugin earlier this month. They reported this vulnerability to Automattic which fixed and pushed a new security update of the plugin. The company also confirmed that this vulnerability existed since Jetpack 2.0, released in November 2012
If you use Jetpack plugin, you can see a new update available in your plugins section. If you have not updated your plugin, you should do it now to avoid any risk.
Good thing is that company has pushed updates for all the vulnerable versions. In case you have not updated your plugin due to some personal reason and do not want to upgrade to latest version, you can download your version of this plugin with this security update. All these versions can be found here.
This security bug was found in the Shortcode Embeds Jetpack module. If you are not using this jetpack module, you are safe. This vulnerability allows attackers to exploit it by leaving a comment containing a carefully positioned shortcode to inject malicious Javascript code on the vulnerable website. If you want to read the technical details, you can read the full disclosure.
XSS vulnerability can be used to hijack accounts, inject spams on pages and redirect visitors to other malicious websites. All these can ruin your website’s reputation.
