WordPress plugin (Jetpack) Vulnerability

We received the following notice from one of the website security services we subscribe to. We have evaluated and implemented corrective measures to any of our current clients an can assure that all websites under any of our Maintenance Packages have been secured against any issues and none have been affected.

We encourage clients and others reading this notice to take the measure noted below to safeguard their websites as well.

email from Sucuri Security to The Image Stop ltd.

During a routine audit of our Web Application Firewall (WAF), we discovered a stored XSS vulnerability affecting the Jetpack WordPress Plugin, one of the most popular plugins of the WordPress ecosystem.

Security Risk: Dangerous

This email does not mean you are affected!! Being proactive in the protection of your site is one of the most important aspects of having a solid security posture. Therefore, we feel it’s important to research and report on all potential threats as quickly as possible.

The vulnerability affects users of Jetpack versions < = to 3.7 that use the contact form module present in the plugin, which is activated by default. An attacker can exploit this issue by providing a specially crafted malicious email address in one of the site’s contact form pages.