After a few critical bugs were recently discovered and patched in the core WordPress engine—a rarity with WordPress-related security issues—order has apparently been restored with the discovery of a critical vulnerability in a popular plugin.
Insecure plugins have been at the heart of numerous attacks launched from compromised WordPress site. One was patched this week in Jetpack, a plugin that’s been downloaded more than one million times. Jetpack allows website administrators to add customization features, mobile content, traffic and other performance tracking tools.
Researchers at Sucuri reported a serious stored cross-site scripting flaw in the plugin on Sept. 10, which was patched on Monday. Yesterday, the security company released details on the flaw, which affected Jetpack versions 3.7 and earlier.
The vulnerability was present in the plugin’s contact-form module, which is turned on by default. Successful exploits against the flaw could expose sites using the plugin to a host of trouble including a backdoor which would allow a hacker to come and go as they pleased.
“An attacker can exploit this issue by providing a specially crafted malicious email address in one of the site’s contact form pages,” Sucuri researcher Mac-Alexandre Montpas wrote in an advisory published yesterday. “As the email is not sanitized properly before being output on the ‘Feedback’ administrative section, the attacker could use this bug and a bit of web browser hackery to execute JavaScript code on the administrator’s end, allowing them to do whatever they wants with the site.”
Unlike reflective cross-site scripting vulnerabilities, stored XSS flaws are exploited when the attacker passes code to the webserver and waits for the user to log in, whether it’s a subscriber, author or admin.
“The attacker simply has to wait for the right user to log in, without introducing any additional indicators that might alert the administrator (think a phishing campaign),” Montpas said. “This is compounded by the popularity of a plugin like JetPack, deployed by default in many installations via their hosts or the install packages.”
Sucuri has published technical details in its advisory, but in short, its researchers found a way where input was not sanitized properly, giving them the ability to attack the site running Jetpack.
Because of Jetpack’s popularity, the researchers urge users to update immediately to a patched version of the plugin.
Earlier this year, a different cross-site scripting vulnerability was discovered in the Genericons icon package that is sometimes bundled with Jetpack and the TwentyFifteen WordPress theme.
While most security issues related to WordPress and other content management systems are plugin-related, last month, WordPress released version 4.3.1 which patched three vulnerabilities, the most serious of which were found in the shortcodes feature, HTML tags that allow site developers to embed macros in code