Updates on WordPress security, Wordfence and what we're cooking in the lab today.

Wordfence Blog

Vulnerability fixed in Jetpack 4.0.3. Severity: 6.1 (Medium)

This entry was posted in Vulnerabilities, WordPress Security on May 27, 2016 by Mark Maunder   4 Replies

An XSS vulnerability has been fixed in Jetpack version 4.0.3 which was released yesterday. If you haven’t automatically been updated to Jetpack 4.0.3 please update immediately. The CVSS score we have calculated for this vulnerability is 6.1 (Medium).

If you are running the Wordfence firewall, we have verified with our own proof-of-concept attack that you are already protected against this exploit.

Jetpack parses HTML looking for objects like Vimeo links. If it finds a Vimeo link or similar object it tries to be helpful and turn it into the Vimeo embedded video code. The trouble with the vulnerable version of Jetpack is that it doesn’t check if the link isn’t already surrounded by potentially malicious HTML tags.

The attack that this vulnerability enables is a stored cross site scripting attack or ‘stored XSS’. It allows an attacker to include malicious javascript in comments which execute within site visitor and site owner’s web browsers.

The fix released by the Jetpack team enhances the filtering that is performed on incoming comments.

The Akismet team has already released a fix for this which prevents malicious comments from being posted. They are filtering out comments that contain the malicious payload that exploits this vulnerability.

The WordPress security team are pushing security hotfixes that will fix this issue. This issue affects the following versions of Jetpack: Versions: 2.0.7, 2.1.5, 2.2.8, 2.3.8, 2.4.5, 2.5.3, 2.6.4, 2.7.3, 2.8.3, 2.9.4, 3.0.4, 3.1.3, 3.2.3, 3.3.4, 3.4.4, 3.5.4, 3.6.2, 3.7.3, 3.8.3 and 3.9.7.

If you are using Wordfence firewall (free or paid) you are already protected against this exploit because Wordfence has built in protection against stored XSS attacks. 

If you haven’t updated to Jetpack 4.0.3 then please update now.

Jetpack have posted a detailed blog post about the vulnerability.

They have also included a helpful FAQ.

Did you enjoy this post? Share it!

4 Comments on "Vulnerability fixed in Jetpack 4.0.3. Severity: 6.1 (Medium)"

Jorge May 27, 2016 at 12:58 pm

I updated to Jetpack 4.0.3. Many thanks for the information.

Clint May 27, 2016 at 1:25 pm

Thanks for the update information. Just curious how this is related to the issue with Jetpack Version 3.9.5 as shown at the following url?


mark May 27, 2016 at 1:58 pm

I don't think so. The versions this vulnerability affects go back to 2.0.

Lori Newman June 1, 2016 at 7:47 am

Thanks for the heads up - appreciate it!

Follow Us


Protect your websites with the #1 WordPress Security Plugin

Get Premium
Over 200 million downloads

Wordfence Newsletter

Get WordPress Security Alerts and Product Updates