Jetpack 4.0.3 just fixed a security flaw named Stored XSS. It allows a visitor to insert a shortcode containing some HTML attributes usually forbidden.
The vulnerability
According to Sam Hotchkiss, member of the Jetpack development team, this XSS vulnerability can be found in the shortcodes parsing method, a Jetpack’s one. A attacker could easily add some JavaScript code in your comments to hack your visitor’s browser.
The vulnerability has been patched of course, but keep in mind that all versions between Jetpack 2.0 from novembre 2012 and below 4.0.3 are in sight.
Today there is no way to know is this have already been used to hack websites, but now, it will, it’s just a question of time since the disclose have been made.
Some technique
If you like technical, here’s the code from the flaw (without code comments):
[pastacode lang=”php” message=”” highlight=”” provider=”manual” manual=”function%20vimeo_link(%20%24content%20)%20%7B%0A%09%24shortcode%20%3D%20%22(%3F%3A%5C%5Bvimeo%5Cs%2B%5B%5E0-9%5D*)(%5B0-9%5D%2B)(%3F%3A%5C%5D)%22%3B%0A%0A%09%24plain_url%20%3D%20%22(%3F%3A%5B%5E’%5C%22%3E%5D%3F%5C%2F%3F(%3F%3Ahttps%3F%3A%5C%2F%5C%2F)%3Fvimeo%5C.com%5B%5E0-9%5D%2B)(%5B0-9%5D%2B)(%3F%3A%5B%5E’%5C%220-9%3C%5D%7C%24)%22%3B%0A%0A%09return%20preg_replace_callback(%0A%09%09%09sprintf(%20’%23%25s%7C%25s%23i’%2C%20%24shortcode%2C%20%24plain_url%20)%2C%0A%09%09%09’vimeo_link_callback’%2C%0A%09%09%24content%0A%09)%3B%0A%7D”/]
The patch added a new callback function which filter now correctly, until proven otherwise, HTML tags.
Stay updated as soon as possible.