Jetpack <= 6.4.2 - Authenticated Stored Cross-Site Scripting (XSS)



Description
According to RIPS Technologies:

"RIPS detected a Stored XSS vulnerability that affects a module available to premium and professional users of Jetpack. Attackers who gained control over an account on the target site with at least Contributor privileges were able to inject arbitrary JavaScript code into the HTML markup of a blog post. Once the administrator of the target site views the malicious blog post, evil JavaScript code is executed which compromises the target server."

Affects Plugin

fixed in version 6.5

References

URL https://www.ripstech.com/php-security-calendar-2018/#day-11

Classification

Type XSS
OWASP Top 10 A3: Cross-Site Scripting (XSS)
CWE CWE-79

Miscellaneous

Original Researcher RIPS Technologies
Submitter Ryan Dewhurst
Submitter Website https://dewhurstsecurity.com/
Submitter Twitter ethicalhack3r
Views 3139
Verified No
WPVDB ID 9168

Timeline

Publicly Published 2018-12-11 (about 1 month ago)
Added 2018-12-12 (about 1 month ago)
Last Updated 2018-12-12 (about 1 month ago)

Copyright & License

Copyright All data and resources contained within this page and this web site is Copyright © The WPScan Team.
License Some of this data may be used for non-commercial purposes, however, any potential commercial usage of this data will require a license. If you would like to inquire about a commercial license please contact us.