Security Risk: Dangerous
Exploitation Level: Easy/Remote
DREAD Score: 8/10
Vulnerability: Stored XSS
Patched Version:  3.7.1
Vulnerability Disclosure Timeline:

September 10th, 2015 – Initial report to Automattic security team
September 10th, 2015 – Automattic security team acks receipt of report, sets patch date for September 22nd
September 28th, 2015 – Patch made public with the release of Jetpack 3.7.1 and 3.7.2

 

Are You At Risk?

The vulnerability affects users of Jetpack version lower or equal to 3.7 that uses the contact form module present in the plugin (it is activated by default). An attacker can exploit this issue by providing a specially crafted malicious email address in one of the site’s contact form pages. As the email is not sanitized properly before being output on the ‘Feedback’ administrative section, the attacker could use this bug and a bit of web browser hackery to execute JavaScript code on the administrator’s end, allowing them to do whatever they wants with the site (hiding a backdoor for future exploitation of the hacked site, injecting SEO spam, etc.).

 


Thursday, October 1, 2015







« Back