An XSS vulnerability has been fixed in Jetpack version 4.0.3 which was released yesterday. If you haven’t automatically been updated to Jetpack 4.0.3 please update immediately. The CVSS score we have calculated for this vulnerability is 6.1 (Medium).
If you are running the Wordfence firewall, we have verified with our own proof-of-concept attack that you are already protected against this exploit.
Jetpack parses HTML looking for objects like Vimeo links. If it finds a Vimeo link or similar object it tries to be helpful and turn it into the Vimeo embedded video code. The trouble with the vulnerable version of Jetpack is that it doesn’t check if the link isn’t already surrounded by potentially malicious HTML tags.
The fix released by the Jetpack team enhances the filtering that is performed on incoming comments.
The Akismet team has already released a fix for this which prevents malicious comments from being posted. They are filtering out comments that contain the malicious payload that exploits this vulnerability.
The WordPress security team are pushing security hotfixes that will fix this issue. This issue affects the following versions of Jetpack: Versions: 2.0.7, 2.1.5, 2.2.8, 2.3.8, 2.4.5, 2.5.3, 2.6.4, 2.7.3, 2.8.3, 2.9.4, 3.0.4, 3.1.3, 3.2.3, 3.3.4, 3.4.4, 3.5.4, 3.6.2, 3.7.3, 3.8.3 and 3.9.7.
If you are using Wordfence firewall (free or paid) you are already protected against this exploit because Wordfence has built in protection against stored XSS attacks.
If you haven’t updated to Jetpack 4.0.3 then please update now.
Jetpack have posted a detailed blog post about the vulnerability.
They have also included a helpful FAQ.