Jetpack releases 4.0.3, Patches Security Hole


Jetpack has released version 4.0.3 of its WordPress plugin, which contains a critical fix for a vulnerability that has been found to be present in Jetpack way back since version 2 was released in 2012.  According to Jetpack team members, a stored XSS vulnerability was found in some shortcodes, which could allow a user to insert JavaScript into the comments to hijack a user’s browser.

/READ MORE // Jetpack Unveils Rebrand with 3.1. Release, New Logo, Custom Post Types

The bug is similar to once recently found and fixed inside of bbPress.

“Similar issues may exist in other plugins, and it’s a good reminder about the power of regular expressions to create issues when parsing data,”

– Sam Hotchkiss, Jetpack Team Member

The team behind the Jetpack plugin has been working alongside WordPress to push out releases for all vulnerable parts of the plugin.  Jetpack is using WordPress’s automatic core updates service, so any sites which have not opted out will receive an update shortly.

“Fortunately, we have no evidence of this being used in the wild…However, now that this update is public, it’s just a matter of time before someone attempts to exploit it.”

– Sam Hotchkiss, Jetpack Team Member

Users are advised to update the plugin as soon as possible, as the update will also fix any exploited shortcode currently in use.

For the latest updates to Jetpack and WordPress, follow us on
on TwitterGoogle+, Tumblr, Instagram and on Facebook


Please enter your comment!
Please enter your name here