Automattic has fixed a dangerous cross-site scripting (XSS) vulnerability in the Jetpack plugin affecting over one million sites.

Jetpack is a free module provided by Automattic, the makers of WordPress, and it adds features found on WordPress.com to custom WordPress sites created on the top of their famous open-source CMS platform.

Not all Jetpack users are affected, but the number is high nevertheless

Security firm Sucuri discovered the Jetpack XSS issue, and they say it only affects sites that have the Jetpack Shortcode Embeds module active, which comes enabled by default with all new Jetpack installations.

Shortcodes are simple shortcuts that automate certain actions, using the format: [SHORTCODE parameter="value"]. All experienced WordPress users are familiar with them, and they're crucial to WordPress customization operations, also being the reason this Jetpack module comes enabled by default while others do not.

Sucuri says the XSS issue resides in how WordPress handles the code inside comments. An attacker could leave a shortcode inside a site's comment field in the form of < a title='[SHORTCODE]'>link text< / a >.

Because WordPress functions are a complicated jumble of code that gets loaded from different portions of the CMS core, somehow, passing the shortcode inside the link's title attribute in that format escapes XSS filters and input sanitization and allows an attacker to append malicious code.

The XSS malicious payload is then stored in the site's comments database and gets displayed for anyone viewing comments on that page.

Attackers can hijack admin accounts, insert SEO spam

XSS vulnerabilities are known to grant a skilled attacker the possibility of taking over user accounts, including the main admin profile. Sucuri points out that you don't necessarily have to take over a user account, though, and attackers could simply use this XSS flaw to insert SEO spam on a site or embed redirections that will steal Web traffic.

The Jetpack team released version 4.0.3 on May 26 to address the issue discovered and reported by Sucuri on May 12.

The Jetpack XSS vulnerability resembles a similar XSS issue Sucuri found in the bbPress WordPress forum plugin last week.

Below is the description of the Shortcode Embeds module in a WordPress test site running the Jetpack plugin.