Bloggers using the WordPress platform are being advised to update the Jetpack plug-in to avoid a cross-site scripting vulnerability.
One million users of the plug-in – which was developed by Automattic, the makers of WordPress – could be at risk. The tool provides website enhancements, management and security features.
The flaw – which impacts Jetpack releases since 2012, beginning with v2.0 – was detected by web security firm Sucuri. The bug is located in the Shortcode Embeds Jetpack module, a shortcut function enabled by default that allows users to embed videos, images, documents, tweets and other materials.
The Sucuri researchers said this flaw can be exploited to inject malicious JavaScript code into comments. Subsequently, it "could allow an attacker to hijack administrator accounts, inject SEO spam to the affected page, and redirect visitors to malicious websites," Sucuri noted in a blog post.
Update as soon as possible, said the researchers.