WordPress Plugin Vulnerabilities

Jetpack < 6.5 - Authenticated Stored Cross-Site Scripting (XSS)

Description

According to RIPS Technologies:

"RIPS detected a Stored XSS vulnerability that affects a module available to premium and professional users of Jetpack. Attackers who gained control over an account on the target site with at least Contributor privileges were able to inject arbitrary JavaScript code into the HTML markup of a blog post. Once the administrator of the target site views the malicious blog post, evil JavaScript code is executed which compromises the target server."

Affects Plugins

Plugin icon
jetpack
Fixed in 6.5

References

URL
https://www.ripstech.com/php-security-calendar-2018/#day-11

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79

Miscellaneous

Original Researcher
RIPS Technologies
Submitter
Ryan Dewhurst
Submitter twitter
ethicalhack3r
Verified
No
WPVDB ID
5e63453f-4d95-4bc3-9338-2d77f95f9ee7

Timeline

Publicly Published
2018-12-11 (about 5 years ago)
Added
2018-12-12 (about 5 years ago)
Last Updated
2019-11-01 (about 4 years ago)

Other

Published
Title
Published
2015-08-20
Title
Alpine PhotoTile for Instagram <= 1.2.7.5 - Authenticated Cross-Site Scripting (XSS)
Published
2020-04-22
Title
Catch Breadcrumb < 1.5.7 - Unauthenticated Reflected XSS
Published
2024-02-05
Title
WP 404 Auto Redirect to Similar Post < 1.0.4 - Reflected Cross-Site Scripting via request
Published
2024-04-05
Title
FooGallery < 2.4.15 - Authenticated (Author+) Stored Cross-Site Scripting
Published
2024-03-26
Title
WP Editor < 1.2.9 - Reflected Cross-Site Scripting