JetPack XSS Security Issue - What We Did to Protect You

On October 1st, a security issue in JetPack, one of the most commonly used WordPress plugins, was disclosed by our partners from Sucuri. The vulnerability was severe because an attacker could exploit the contact form feature of the plugin to insert and execute JavaScript code as an admin of your site. Needless to say, that could lead to all sort of problems – injecting black SEO links, adding backdoors for full access to your account, accessing private information, etc. In this recap post, we would like to summarise what we did to protect SiteGround users with this plugin installed.

Added a Rule in Our WAF to Prevent Exploiting the Vulnerability

Our security team acted immediately on the day the vulnerability was announced and added a special rule to block hacking attempts trying to utilise this exploit in our web application firewall. Basically, we started blocking all requests that match a pattern crafted by our security team. Of course, before applying this firewall rule, we did enough testing to make sure that no real requests to our customers’ sites will be blocked, just the malicious ones. However, doing this does not fix the core of the problem, but simply prevents attacks that try to gain unauthorised access to our customers’ sites through this security hole.

Updated the JetPack plugins of our clients

After the disclosure of the vulnerability, the Automattic team that developed JetPack has released an update for the plugin. Since we do not like leaving security holes unresolved, we notified all our clients using Jetpack that their plugins would be updated. And just a few days after the disclosure, we had updated 95% of all outdated JetPack plugins on our shared servers. About 5% of the attempted upgrades were unsuccessful, in which case we offered additional assistance to the affected owners.