Dear Clients
A critical stored XSS vulnerability in the Jetpack WordPress plugin was announced yesterday affecting anyone using Jetpack version 3.7 or lower.
We Strongly reccomend to update the plugin to latest version or to disable and remove it if it is not being used.
Jetpack is one of WordPress’ most popular plugins with over 1 million active installs.
A stored XSS vulnerability is particularly nasty because someone can simply put code on your web server and wait for you to log into WordPress. Here, the exploit affects the contact form module present in the plugin, which is activated by default. The attacker enters a malicious email address in the form, which will get the attacker access to the admin's code.
For more technical details, head over to Sucuri to read how it was found.
*And remember if you don't use WordPress you have nothing to worry about!
Warm Regards
The eDisc Web Team