Stored XSS Vulnerability in Jetpack Plugin
December 21, 2016 2996
Insecure or outdated plugins have been at the heart of numerous attacks launched at and from compromised WordPress sites.
Jetpack plugin was the latest culprit due to the the discovery of stored cross-site scripting (XSS) vulnerability.
According to a Sucuri post published on Thursday: "an attacker can exploit this vulnerability by entering a specially crafted malicious email address into one of the affected WordPress website's contact form pages", and the bug is very easy to exploit.
Since Jetpack's contact form module is activated by default, most WordPress installations are at risk and compromised.
WordPress Versions Affected
The vulnerability affects the Jetpack plugin prior to version 3.7. Stored XSS bug puts any affected WordPress website at risk of being completely taken over.
What to Do
At a minimum you or your webmaster need to update your Jetpack plugin to the latest released version 4.4.2. Next step should be disabling the contact form module, if it is not used. Third, update all WordPress plugins to its latest versions.
Be Proactive: don’t wait until you hear that a new vulnerability was discovered. Always update the WordPress core engine and plugins.
Backup: back to basics, always backup your WordPress site so it can restore your hacked WordPress installation.
Remove vs. Disable: remove unused plugins vs disabling it. The same applies to unused themes. If you don’t use it, remove it.
An Ongoing Need to Stay Up-to-Date
Unfortunately and as usual, WordPress CMS used by millions is vulnerable again and site owners fail to understand the disadvantages of not being proactive with their maintenance and not utilizing a web maintenance service to constantly monitor and backup their WordPress sites. While you should focus on running your business, trying to be a passive webmaster is an open door invitation for hackers.
eLab Communications offer several maintenance and hosting packages specific to WordPress websites. Contact us today for a complimentary website health check and to discuss your available maintenance options.
Call us Toll Free at 888.624.8321 – Local 831.375.7600