Overview
Security Flaw in WordPress Jetpack Plugin: Automattic, the developer of the Jetpack plugin, has announced a security flaw that exist in the Carousel feature of the plugin. The specifics of the security flaw has not been disclosed by the Automattic. However, attackers may try to take advantage of the vulnerability since Jetpack is a very popular WordPress plugin used by over 5 million sites.
Description
JetPack is a popular plugin that combines many features such as security, performance and site management into a single plugin. The plugin was developed and it is maintained by Automattic, the company behind WordPress. Currently, it is run on over 5 million+ WordPress sites.
According to Automattic, the security flaw exist in the Carousel feature and its option to display comments for each image. The Carousel feature is being used to display images in a fashionable and modern looking way on the websites. The company declared that there is no evidence that the vulnerability has been exploited in the wild. However, attackers could try to take advantage of the disclosed flaw since the vulnerability affects more than 5 million websites.
The Carousel feature related vulnerability affects all versions starting with the Jetpack 2.0 that was released back in November 2012, up to the version 9.7.1.
The fact that the vulnerability has been disclosed to the company by a security researcher outside the company and the security flaw exists since 2012 might indicate that the vulnerability could have been exploited in the wild before its official disclosure by the company.
Impact
Neither a CVE-ID nor the details of the vulnerability are known currently, as the company has not disclosed the specifics of the security flaw, possibly to protect the sites that haven’t been update yet.
Impact Summary
Category: N/A
CVSS 3.1 Base Score: N/A
CVSS 3.1 Vector: N/A
A search on the NVD (National Vulnerability Database) for Jetpack vulnerabilities reveals that currently the latest registered Jetpack vulnerability with a CVE id is CVE-2016-10706 and no other vulnerability that has been identified afterwards has been given a CVE identifier yet. The company seems to be publishing the vulnerabilities on the NVD only after a few years past their initial discovery.
Solution (Update/Workaround)
To defend against possible attacks due to the disclosed security flaw in WordPress Jetpack plugin, the plugin needs to be updated as patched versions of every vulnerable version has been already released by Automattic.
Also, as a rule of thumb, the attack surface should be decreased by identifying a minimal set of essential and critical plugins to be installed in WordPress. The selected plugins should come from trustworthy sources and and the most trusted version should be installed in your system. Don’t forget that each theme and plugin come with their own vulnerabilities to be exploited by the hackers. Read more on how to secure WordPress sites.
I am regularly asked what the average Internet user can do to ensure his security. My first answer is usually ‘Nothing; you’re screwed’.
Bruce Schneier
Read more educational and inspirational cyber quotes at our page 100+ Best Cyber Security & Hacker Quotes.
References to Advisories, Solutions and Tools
To learn more about how to protect your WordPress site, you can also read How to Secure Your WordPress Site?
