The sharing feature of the Jetpack plugin for WordPress is currently being exploited for the purpose of sending spam and possibly for DDOS attacks. FOSS Force became aware of this after we began looking into emails being sent to us by our server’s security system, notifying us of massive amounts of email being sent from our server. An investigation by our IT people traced the problem to the “Sharing” function of the Jetpack plugin.
Jetpack is a collection of plugins rolled into a single plugin and contains functions that are essential for many websites. The plugin, maintained by WordPress, contains functions that were included with the free websites hosted on WordPress.com but were unavailable for stand alone users of the platform until Jetpack’s release about five years ago. The “Sharing” function places social bookmarks at the end of posts and pages, which allows a site’s visitors to share an article or post with social networking sites such as Reddit, Facebook or Twitter.
Included is the ability to share an artice with a friend via email and it’s evidently the email sharing that’s being exploited by spammers. A required field when notifying a friend via the email function is the sender’s name. At present, there is no maximum length for this field, which allows spammers to input email content into the field before sending. This problem came to the attention of the plugin’s developers at least two days ago, after the issue was brought up on the WordPress forums. As this is a WordPress maintained plugin, we expect that we will see an update to the plugin within the next few days addressing this issue.
Until the problem is fixed, we recommend all WordPress sites using the Jetpack Sharing function to deactivate email sharing.