Wordpress- Jetpack Exploit

vyasvyas OG
edited November 2019 in Technical

Read this in a WP group about an exploit in Jetpack plugin. Bottomline: if you use Jetpack plugin, upgrade to ver. 7.9.1 ASAP

Since many use / offer WP hosting thought it might be relevant to post here.
Adding the 'raw' source - removed all UTM information
https://www.bleepingcomputer.com/news/security/millions-of-sites-exposed-by-flaw-in-jetpack-wordpress-plugin/

< signed off >

Comments

  • RahulRahul OG
    edited November 2019

    vyas said: WP

    Get hit with

    vyas said: an exploit

    sooner or later

  • Yes, but WP has lots of advantages and I think it is hard not to use it. I just wonder if such plugins that do so many things at one time is inherently more prone to exploits simply because small plugins that do just one thing well have much less code to deal with and it is much easier to see what can go wrong. Not saying small plugins ard better, but I think the probability of being able to catch problems early is higher.

    Deals and Reviews: LowEndBoxes Review | Avoid dodgy providers with The LEBRE Whitelist | Free hosting (with conditions): Evolution-Host, NanoKVM, FreeMach, ServedEZ | Follow latest deals on Twitter or Telegram

  • poisson said: I just wonder if such plugins that do so many things at one time is inherently more prone to exploits simply because small plugins that do just one thing well have much less code to deal with and it is much easier to see what can go wrong.

    I think it's just they are more often being targeted and are easier to detect. Small plugins might not even show up in the HTML code, or they might not interact with the user, so the attack surface is low.

    If there is so much to exploit in the popular big plugins, why bother with niche plugins?

  • @intelpentium said:

    poisson said: I just wonder if such plugins that do so many things at one time is inherently more prone to exploits simply because small plugins that do just one thing well have much less code to deal with and it is much easier to see what can go wrong.

    I think it's just they are more often being targeted and are easier to detect. Small plugins might not even show up in the HTML code, or they might not interact with the user, so the attack surface is low.

    If there is so much to exploit in the popular big plugins, why bother with niche plugins?

    Security by obscurity. I prefer to handle a few specialised plugins instead of a fat one like Jetpack.

    Thanked by ITLabs

    Deals and Reviews: LowEndBoxes Review | Avoid dodgy providers with The LEBRE Whitelist | Free hosting (with conditions): Evolution-Host, NanoKVM, FreeMach, ServedEZ | Follow latest deals on Twitter or Telegram

  • vyasvyas OG
    edited November 2019

    About WP security there was a discussion at the other place a few days back and I had summarised some of the points in a blog post.

    I had several sites and sub domains connected via JP mainly so that I could write drafts on iAWriter—>schedule posts —>add meta tags, images etc via WP app on Mac and publish posts/ update sites etc.

    Now I have changed the workflow so there is no need to have JP. It is slow and flaky - half the time sites disconnect for one reason or another.I think the key was finding the right tools (and people) to suit a new workflow. This incident provided the trigger.

    Another learning: the updates were pushed first for paid versions of JP. Updates for JP Free version came a day or two later. I will be updating the post on my website shortly.

    Thanked by poisson

    < signed off >

Sign In or Register to comment.