Jetpack 4.0.3 Security Patch

Jetpack 4.0.3 just fixed a security flaw named Stored XSS. It allows a visitor to insert a shortcode containing some HTML attributes usually forbidden.

The vulnerability

According to Sam Hotchkiss, member of the Jetpack development team, this XSS vulnerability can be found in the shortcodes parsing method, a Jetpack’s one. A attacker could easily add some JavaScript code in your comments to hack your visitor’s browser.

The vulnerability has been patched of course, but keep in mind that all versions between Jetpack 2.0 from novembre 2012 and below 4.0.3 are in sight.

Today there is no way to know is this have already been used to hack websites, but now, it will, it’s just a question of time since the disclose have been made.

Some technique

If you like technical, here’s the code from the flaw (without code comments):

function vimeo_link( $content ) {
	$shortcode = "(?:\[vimeo\s+[^0-9]*)([0-9]+)(?:\])";

	$plain_url = "(?:[^'\">]?\/?(?:https?:\/\/)?vimeo\.com[^0-9]+)([0-9]+)(?:[^'\"0-9<]|$)";

	return preg_replace_callback(
			sprintf( '#%s|%s#i', $shortcode, $plain_url ),
			'vimeo_link_callback',
		$content
	);
}

The patch added a new callback function which filter now correctly, until proven otherwise, HTML tags.

Stay updated as soon as possible.

About Julio Potier All of Julio Potier's posts

Creator of SecuPress and the LearnWPSecurity Training, Julio is also lead organisator of WordCamp Lille.
Compulsive speaker, Senior Trainer and WordPress Engineer, he's a specialist in security since 2002 and contribute to WordPress various ways.