Sucuri recently discovered a stored XSS in all versions from 2.0 (released in November 2012) of the popular WordPress plugin Jetpack. The plugin has over 1 million active installs and is made by Automattic, the company behind WordPress. The vulnerability can easily be exploited via wp-comments and allows hackers to take over administrator accounts.
[Solution] Upgrade to Jetpack version 4.0.3
Read Jetpack’s comment on the vulnerability here.
As always, we recommend you to run regular security tests on your website to keep up with all the latest vulnerabilities.
Stay safe!