WordPress plugin (Jetpack) Vulnerability
We encourage clients and others reading this notice to take the measure noted below to safeguard their websites as well.
email from Sucuri Security to The Image Stop ltd.
During a routine audit of our Web Application Firewall (WAF), we discovered a stored XSS vulnerability affecting the Jetpack WordPress Plugin, one of the most popular plugins of the WordPress ecosystem.
Security Risk: Dangerous
This email does not mean you are affected!! Being proactive in the protection of your site is one of the most important aspects of having a solid security posture. Therefore, we feel it’s important to research and report on all potential threats as quickly as possible.
The vulnerability affects users of Jetpack versions < = to 3.7 that use the contact form module present in the plugin, which is activated by default. An attacker can exploit this issue by providing a specially crafted malicious email address in one of the site’s contact form pages.