After a few critical bugs were recently discovered and patched in the core WordPress engine—a rarity with WordPress-related security issues—order has apparently been restored with the discovery of a critical vulnerability in a popular plugin.
Insecure plugins have been at the heart of numerous attacks launched from compromised WordPress site. One was patched this week in Jetpack, a plugin that’s been downloaded more than one million times. Jetpack allows website administrators to add customization features, mobile content, traffic and other performance tracking tools.
The vulnerability was present in the plugin’s contact-form module, which is turned on by default. Successful exploits against the flaw could expose sites using the plugin to a host of trouble including a backdoor which would allow a hacker to come and go as they pleased.
Unlike reflective cross-site scripting vulnerabilities, stored XSS flaws are exploited when the attacker passes code to the webserver and waits for the user to log in, whether it’s a subscriber, author or admin.
“The attacker simply has to wait for the right user to log in, without introducing any additional indicators that might alert the administrator (think a phishing campaign),” Montpas said. “This is compounded by the popularity of a plugin like JetPack, deployed by default in many installations via their hosts or the install packages.”
Sucuri has published technical details in its advisory, but in short, its researchers found a way where input was not sanitized properly, giving them the ability to attack the site running Jetpack.
Because of Jetpack’s popularity, the researchers urge users to update immediately to a patched version of the plugin.
Earlier this year, a different cross-site scripting vulnerability was discovered in the Genericons icon package that is sometimes bundled with Jetpack and the TwentyFifteen WordPress theme.
While most security issues related to WordPress and other content management systems are plugin-related, last month, WordPress released version 4.3.1 which patched three vulnerabilities, the most serious of which were found in the shortcodes feature, HTML tags that allow site developers to embed macros in code.