• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login

Security Advisory: Stored XSS in Jetpack

May 27, 2016Marc-Alexandre MontpasEspanolPortugues

Security Risk: Medium

Exploitation Level: Easy/Remote

DREAD Score: 6/10

Vulnerability: Stored XSS

Patched Version: 4.0.3

FacebookTwitterSubscribe

During regular research audits for our Sucuri Firewall (Cloud WAF), we discovered a stored XSS vulnerability affecting the WordPress Jetpack plugin, currently installed on more than a million WordPress sites. The vulnerability can be easily exploited via wp-comments and we recommend everyone to update asap, if you have not done so yet.

Vulnerability Disclosure Timeline:

  • May 12th, 2016 – Initial report to the Jetpack team
  • May 26th, 2016 – Jetpack disclosure released.
  • May 27th, 2016 – Sucuri disclosure released.

Are You at Risk?

The security bug is located in the Shortcode Embeds Jetpack module, so if you don’t have it activated on your site you’re not affected by this issue. An attacker can exploit this vulnerability by leaving a comment containing a carefully positioned shortcode to inject malicious Javascript code on the vulnerable website.

As it is a Cross-Site Scripting (XSS) vulnerability it could allow an attacker to hijack administrator accounts, inject SEO spam to the affected page, and redirect visitors to malicious websites.

Technical Details

This bug is very similar to the bbPress vulnerability we disclosed last week, another instance of text carelessly being replaced with some HTML tags.

stored xss jetpack snippet 1

In this case, our journey begins with the comment_text hook, which is used when printing a comments content. The vimeo_link is hooked there so it can modify the comments output dynamically.

stored xss in jetpack snippet 2

As you can see from the above regexes, it will look for a vimeo shortcode inside the comment and if it finds one, it will pass it to the vimeo_link_callback function.

stored xss in jetpack

What is returned is an HTML tag containing the embedded Vimeo video. Let’s take a look at what the resulting output looks like if we send a comment containing <a title='[vimeo 123]’>abc</a>:

stored xss in jetpack snippet 4

Woah, what happened there? It looks like our title attributes ending single quote (‘) disappeared! All we needed to make a working exploit from there was to ensure we could properly close our title attribute and insert new arbitrary event handlers to run our POC. As we said, very easy to exploit.

We worked with the JetPack team and they responded immediately and kept us on the loop the whole time.

Update as Soon as Possible

If you’re using a vulnerable version of this plugin, update as soon as possible! In the event where you cannot do this, we strongly recommend leveraging the Sucuri Firewall or equivalent technology to get it patched virtually.

FacebookTwitterSubscribe

Categories: Security Advisory, Vulnerability Disclosure, WordPress SecurityTags: WordPress Plugins and Themes, XSS

About Marc-Alexandre Montpas

Marc-Alexandre Montpas is Sucuri’s Senior Security Analyst who joined the company in 2014. Marc’s main responsibilities include reversing security patches and scavenging vulnerabilities, old and new. His professional experience covers eight years of finding bugs in open-source software. When Marc isn’t breaking things, you might find him participating in a hacking CTF competition. Connect with him on Twitter.

Reader Interactions

Comments

  1. liberatumente

    May 27, 2016

    thanks, as always, for maintain us informed and secure 🙂

  2. Manuel Riel

    May 28, 2016

    Good job, guys.

  3. reidtech

    May 28, 2016

    Thanks for the heads-up Sucuri. You guys are awesome!

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

Join Over 20,000 Subscribers!

Sucuri Sidebar Malware Removal to Signup Page

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2023 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.