Jetpack 4.0.3 is a security release that contains an important fix for a critical vulnerability that has been present in the plugin since version 2.0, released in 2012. According to Jetpack team member Sam Hotchkiss, a stored XSS vulnerability was found in the way that some Jetpack shortcodes are processed, which allows an attacker to insert JavaScript into comments to hijack a visitor’s browser.
This particular bug is similar to one recently found and patched in bbPress.
“Similar issues may exist in other plugins, and it’s a good reminder about the power of regular expressions to create issues when parsing data,” Hotchkiss said.
The Jetpack team has been working with the WordPress security team to push out point releases for all vulnerable branches of the plugin’s codebase, which includes all versions following 2.0. They are using WordPress’ core automatic update system, so all sites that have not explicitly opted out will receive the security update.
“Fortunately, we have no evidence of this being used in the wild,” Hotchkiss said. “However, now that this update is public, it’s just a matter of time before someone attempts to exploit it.” The Jetpack team is advising users to update as soon as possible, as the update also fixes any potential exploits that may have already been put in place.
The team credits Marc-Alexandre Montpas from Sucuri for finding the bug and disclosing it responsibly. Users will be notified about the security release via email, but those who have Akismet and/or VaultPress installed have already been protected since the first reporting of the vulnerability.
We encourage everyone to update, we’ll be waiting to publish details until tomorrow afternoon.
Thanks,
Tony