reCAPTCHA Jetpack WordPress Plugin Stored Cross-Site Scripting Vulnerability via Cross-Site Request Forgery

A stored cross-site scripting vulnerability has been identified in the reCAPTCHA Jetpack WordPress plugin, affecting versions through 0.2.2. The issue arises because the plugin lacks proper cross-site request forgery (CSRF) protections in certain areas and fails to adequately sanitize and escape user input. This combination could enable attackers to exploit logged-in administrators by injecting malicious scripts that are stored and executed later.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user.

Reproduction

To reproduce this vulnerability, Jetpack must be installed, and a page or post should be created containing a Jetpack Contact Form shortcode. After publishing the post or page with the contact form, a logged-in admin can be tricked into submitting a form that injects a script payload into the reCAPTCHA Jetpack plugin settings. This can be done by creating an HTML document that automatically submits a form with the malicious payload to the WordPress admin options page for the reCAPTCHA Jetpack plugin.