Jetpack 3.7.2 is available for download and patches two security vulnerabilities. The first is a cross-site scripting vulnerability in the contact form due to improper input sanitation that affects Jetpack 3.7.0 and below. Marc-Alexandre Montpas of Sucuri is credited with responsibly disclosing the vulnerability.
The second is an information disclosure vulnerability present in certain hosting configurations responsibly disclosed by Jaime Delgado Horna of Listae. In addition to patching the vulnerabilities, 3.7.2 also fixes an error with the REST API that creates multiple drafts and published posts. Other notable fixes includes:
- Updating the Google+ logo in our sharing buttons.
- Adding custom capabilities for module management for multisite installs.
- Fixing a bug that was sending the contact form response fields in the wrong order.
Montpas has additional information on the cross-site scripting vulnerability discovered in Jetpack on the Sucuri blog, including a timeline of events. Please update to Jetpack 3.7.2 as soon as possible to protect your sites.