Popular WordPress Plugin Addresses Critical Security Issue

The website security firm Sucuri last week disclosed a critical issue in Jetpack, a plugin used by more than 1 million users of the WordPress content management system.

Why Should This Issue Be Considered Important?
Sucuri discovered a critical cross-site scripting (XSS) issue (defined) within the Jetpack plugin caused by how it validates the email address submitted via the contact form module within the plugin.

If an attacker were to use this vulnerability in addition to their knowledge of website hacking they could execute (run or carry out a set of steps) JavaScript (defined) code of their choice on your WordPress site. This could allow the attacker to add a backdoor (defined) to your website allowing them convenient access or conduct a watering hole attack (defined) (further examples of options open to the attacker are presented in Sucuri’s security advisory for this issue).

How Can I Protect Myself From This Issue?
Please update to JetPack version 3.7.1 or later (at the time of writing, version 3.7.2 is available). Instructions for updating WordPress plugins are provided here. Installation instructions for JetPack are provided here.

I hope that the above information is useful to you in securing your WordPress site from this flaw if you make use of the JetPack plugin.

Thank you.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s