WordPress Vulnerability Report #15 – November 2019

With only two vulnerabilities recorded, November 2019 could be one of the safest months since we launched WordPress Vulnerability Report. However, a security issue within an incredibly popular site management plugin, Jetpack, could affect millions of websites. Learn how to keep your site secure.

Monthly WordPress Vulnerability Report
Article by Dawid Zimny
I am particularly interested in web analytics. Knowing the way your visitors browse your website will help you improve their browsing experience and is crucial for converting them into clients.

In this issue:

  • Sassy Social Share 3.3.3 - Cross-Site Scripting (XSS)
  • Jetpack 5.1-7.9 - Vulnerability in Shortcode Embed Code

Our goal is to make the Web secure and transparent for everyone. If you have questions regarding our report, don’t hesitate to contact us.

We also offer professional security monitoring – including plugin monitoring, offsite backups, and much more. Learn more about our WordPress security and maintenance services and subscribe to our newsletter for monthly updates on WordPress vulnerabilities.

Secure business website – WordPress core and plugin vulnerabilities

Learn why we launched the WordPress Vulnerability Report in the video message from our Technical Director, Tomasz Lisiecki.

If you’re looking for more information, please read our introductory article.

Sassy Social Share 3.3.3 - Cross-Site Scripting (XSS)!

A frequent issue with WordPress plugins, the lack of proper code and/or input sanitisation, causes this plugin to render text input as HTML.
Is it safe?
Remote attackers can perform a variety of malicious actions, including changing the appearance of a website, perform phishing attacks to steal sensitive data, and more.
Our recommendation
Update to the plugin version 3.3.4 or higher, which fixes the vulnerability.

Jetpack 5.1-7.9 - Vulnerability in Shortcode Embed Code!

An unspecified vulnerability in the way Jetpack processes embed code was reported this month.
Is it safe?
The issue affects all versions since 5.1, released in July 2017. There were no mentions of successful attacks using this vulnerability so far, but now it was brought to life, the risk is much higher.
Our recommendation
Update to the latest release of your Jetpack version. They have released security updates to all 29 versions since 5.1, including the latest release, 7.9.1. If you're running an older version of the plugin, we highly recommend upgrading to 7.9.1 to avoid other possible security issues.

Got Something To Share?

Your email address will not be published. Required fields are marked *