Researchers with Sucuri have identified a critical stored cross-site scripting (XSS) vulnerability in the popular Jetpack plugin for WordPress websites.
The Jetpack plugin opens up a number of features for WordPress site operators, including customization, traffic, mobile, content and performance tools. It currently has more than a million active downloads.
The stored XSS bug puts any affected WordPress website at risk of being completely taken over. The issue was fixed earlier this week with the release of Jetpack 3.7.1 and 3.7.2, but anyone who is still running Jetpack 3.7 or lower is vulnerable.
According to a Sucuri post published on Thursday, an attacker can exploit this vulnerability by entering a specially crafted malicious email address into one of the affected WordPress website’s contact form pages. The post noted that Jetpack’s contact form module is activated by default.
In a Friday email correspondence, Marc-Alexandre Montpas, vulnerability researcher with Sucuri, told SCM that Sucuri has not observed any instances of the stored XSS bug being exploited in the wild. However, he added that attackers may attempt to develop exploits now that the release is out.
According to Montpas, the bug is very easy to exploit.
“As it’s a stored XSS bug, the attacker has to wait for an administrator to visit the plugin’s Feedback section to silently trigger [the] attack payload,” Montpas said. “If this happens, nothing stops the malicious script from taking control of the site, which is extremely dangerous.”
Montpas noted that Jetpack 3.7.1 additionally patches a less dangerous information disclosure bug, so users should upgrade immediately even if they do not use the contact form module.