May 26th 2016 jetpack
disclosed a XSS vulnerability discovered in their popular plugin.
We would to take this opportunity and describe what is XSS.
Cross Site Scripting or XSS attack refers to injection of the malicious code or malicious payload into pages of legitimate website. Further, when these compromised pages are visited by website users, the injected malicious code (or payload) is executed by client-side application (visitor's web browser) and performs the actual malicious action such as: redirecting visitor to another website, download and installation of malicious code, showing adult ads and etc...
In most cases, malicious code injection does not require direct access to web site files or internals. It, basically, utilizes and exploits certain kind of security vulnerability when website or web application stores and further present invalidated user input. Such unfiltered forms, pop-ups and other dynamic content is where malicious code or payload could be specially crafted into string serving JavaScript code or a link/ Iframe to another compromised website.
XSS vulnerabilities could be very trivial and be detected by XSS vulnerability scanner. However, in its complex variants it may take several years until it gets uncovered (like with Jetpack plugin where XSS vulnerability remained undetected since 2012).