possible vulnerability in jetpack custom css
My wordpress news site was under attack earlier today. The attackers were injecting code repetitively into every input box they can find on the site.That drove up the cpu usage[graph] and almost got my account suspended by the host. I started following the trail i found in the access logs and temporarily closed all the forms on the site. But then, i noticed that the attacker started accessing a file in the jetpack plugins directory, and it turned out to be the CSS Formatter and Optimizer, found in “wp-content/plugins/jetpack/modules/custom-css/csstidy/css_optimiser.php”[screenshot] which is open to all visitors, logged in or not. I did a bit of research and found this vulnerability report about the aforementioned file. I renamed the file and added an empty index.php file to hide the content of that directory and i’m trying to figure out a better solution at the moment.
Why would you allow that file to be open for public?? and why not do something to hide the files inside the directories. I understand directories structure and content can be easily obtained by installing jetpack but it would at least make it harder for automated scrapping solutions to find open input fields.
- The topic ‘possible vulnerability in jetpack custom css’ is closed to new replies.