Jetpack <= 6.4.2 - Authenticated Stored Cross-Site Scripting (XSS)



Description
According to RIPS Technologies:

"RIPS detected a Stored XSS vulnerability that affects a module available to premium and professional users of Jetpack. Attackers who gained control over an account on the target site with at least Contributor privileges were able to inject arbitrary JavaScript code into the HTML markup of a blog post. Once the administrator of the target site views the malicious blog post, evil JavaScript code is executed which compromises the target server."

Affects Plugin

fixed in version 6.5

References

URL https://www.ripstech.com/php-security-calendar-2018/#day-11

Classification

Type XSS
OWASP Top 10 A7: Cross-Site Scripting (XSS)
CWE CWE-79

Miscellaneous

Original Researcher RIPS Technologies
Submitter Ryan Dewhurst
Submitter Website https://dewhurstsecurity.com/
Submitter Twitter ethicalhack3r
Views 8568
Verified No
WPVDB ID 9168

Timeline

Publicly Published 2018-12-11 (8 months ago)
Added 2018-12-12 (8 months ago)
Last Updated 2018-12-12 (8 months ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin