Jetpack 4.0.3 just fixed a security flaw named Stored XSS. It allows a visitor to insert a shortcode containing some HTML attributes usually forbidden.
The vulnerability has been patched of course, but keep in mind that all versions between Jetpack 2.0 from novembre 2012 and below 4.0.3 are in sight.
Today there is no way to know is this have already been used to hack websites, but now, it will, it’s just a question of time since the disclose have been made.
If you like technical, here’s the code from the flaw (without code comments):
[pastacode lang=”php” message=”” highlight=”” provider=”manual” manual=”function%20vimeo_link(%20%24content%20)%20%7B%0A%09%24shortcode%20%3D%20%22(%3F%3A%5C%5Bvimeo%5Cs%2B%5B%5E0-9%5D*)(%5B0-9%5D%2B)(%3F%3A%5C%5D)%22%3B%0A%0A%09%24plain_url%20%3D%20%22(%3F%3A%5B%5E’%5C%22%3E%5D%3F%5C%2F%3F(%3F%3Ahttps%3F%3A%5C%2F%5C%2F)%3Fvimeo%5C.com%5B%5E0-9%5D%2B)(%5B0-9%5D%2B)(%3F%3A%5B%5E’%5C%220-9%3C%5D%7C%24)%22%3B%0A%0A%09return%20preg_replace_callback(%0A%09%09%09sprintf(%20’%23%25s%7C%25s%23i’%2C%20%24shortcode%2C%20%24plain_url%20)%2C%0A%09%09%09’vimeo_link_callback’%2C%0A%09%09%24content%0A%09)%3B%0A%7D”/]
The patch added a new callback function which filter now correctly, until proven otherwise, HTML tags.
Stay updated as soon as possible.