Updates on CyberSecurity, WordPress and what we're cooking in the lab today.

Vulnerability fixed in Jetpack 4.0.3. Severity: 6.1 (Medium)

This entry was posted in Vulnerabilities, WordPress Security on May 27, 2016 by Mark Maunder   4 Replies

An XSS vulnerability has been fixed in Jetpack version 4.0.3 which was released yesterday. If you haven’t automatically been updated to Jetpack 4.0.3 please update immediately. The CVSS score we have calculated for this vulnerability is 6.1 (Medium).

If you are running the Wordfence firewall, we have verified with our own proof-of-concept attack that you are already protected against this exploit.

Jetpack parses HTML looking for objects like Vimeo links. If it finds a Vimeo link or similar object it tries to be helpful and turn it into the Vimeo embedded video code. The trouble with the vulnerable version of Jetpack is that it doesn’t check if the link isn’t already surrounded by potentially malicious HTML tags.

The attack that this vulnerability enables is a stored cross site scripting attack or ‘stored XSS’. It allows an attacker to include malicious javascript in comments which execute within site visitor and site owner’s web browsers.

The fix released by the Jetpack team enhances the filtering that is performed on incoming comments.

The Akismet team has already released a fix for this which prevents malicious comments from being posted. They are filtering out comments that contain the malicious payload that exploits this vulnerability.

The WordPress security team are pushing security hotfixes that will fix this issue. This issue affects the following versions of Jetpack: Versions: 2.0.7, 2.1.5, 2.2.8, 2.3.8, 2.4.5, 2.5.3, 2.6.4, 2.7.3, 2.8.3, 2.9.4, 3.0.4, 3.1.3, 3.2.3, 3.3.4, 3.4.4, 3.5.4, 3.6.2, 3.7.3, 3.8.3 and 3.9.7.

If you are using Wordfence firewall (free or paid) you are already protected against this exploit because Wordfence has built in protection against stored XSS attacks. 

If you haven’t updated to Jetpack 4.0.3 then please update now.

Jetpack have posted a detailed blog post about the vulnerability.

They have also included a helpful FAQ.

Did you enjoy this post? Share it!


Your rating:

4 Comments on "Vulnerability fixed in Jetpack 4.0.3. Severity: 6.1 (Medium)"

Jorge May 27, 2016 at 12:58 pm • Reply

I updated to Jetpack 4.0.3. Many thanks for the information.

Clint May 27, 2016 at 1:25 pm • Reply

Thanks for the update information. Just curious how this is related to the issue with Jetpack Version 3.9.5 as shown at the following url?

https://wordpress.org/support/topic/jetpack-395-vimeo-videos-added-to-comments?replies=1

mark May 27, 2016 at 1:58 pm • Reply

I don't think so. The versions this vulnerability affects go back to 2.0.

Lori Newman June 1, 2016 at 7:47 am • Reply

Thanks for the heads up - appreciate it!

Get the latest WordPress security updates and news

Sign up for WordPress security alerts, Wordfence product updates and security news via email.