WordPress plug-in Jetpack puts over 1,000,000 websites in danger

author wpshopmart 01 Jun 2016

WordPress plug-in Jetpack puts over 1,000,000 websites in danger

Owners of WordPress-based websites ought to update the Jetpack plug-in as shortly as attainable owing to a heavy flaw that would expose their users to attacks.

Threat intelligence

CSO Threat Intelligence Survival Guide
If enterprises wish to grasp however they’ll higher invest in security defenses, build the required. Jetpack may be a standard plug-in that gives free web site optimisation, management and security measures. it had been developed by Automattic, the corporate behind WordPress.com and also the WordPress ASCII text file project, and has over one million active installations. Researchers from internet security firm Sucuri have found a hold on cross-site scripting (XSS) vulnerability that affects all Jetpack releases since 2012, beginning with version two.0.

How to answer ransomware threats

The issue is found within the Shortcode Embeds Jetpack module that permits users to implant external videos, images, documents, tweets and different resources into their content. It will be simply exploited to inject malicious JavaScript code into comments.
Since the JavaScript code is persistent, it’ll get dead in users’ browsers within the context of the affected web site anytime they read the malicious comment. this will be wont to steal their authentication cookies, together with the administrator’s session; to direct guests to exploits, or to inject program optimisation (SEO) spam.
“The vulnerability will be simply exploited via wp-comments and that we advocate everybody to update ASAP, if you’ve got not done thus nevertheless,” aforesaid Sucuri investigator Marc-Alexandre Montpas in a very web log post. Sites that do not have the Shortcode Embeds module activated aren’t affected, however this module provides standard practicality such a lot of websites square measure seemingly to own it enabled.

The Jetpack developers have worked with the WordPress security team to push updates to all or any affected versions through the WordPress core auto-update system. Jetpack versions four.0.3 or newer contain the fix.
In case users don’t need to upgrade to the newest version, the Jetpack developers have conjointly discharged purpose releases for all twenty-one vulnerable branches of the Jetpack codebase: two.0.7, 2.1.5, 2.2.8, 2.3.8, 2.4.5, 2.5.3, 2.6.4, 2.7.3, 2.8.3, 2.9.4, 3.0.4, 3.1.3, 3.2.3, 3.3.4, 3.4.4, 3.5.4, 3.6.2, 3.7.3, 3.8.3, 3.9.7, and 4.0.3.

Leave a Reply

Your email address will not be published.


Join Our Newsletter

Name
Email *

If you have any query or problem then feel free to ask us here. Guaranteed customer satisfaction with prompt support