Jetpack, the widely-used WordPress plugin, has released a critical security update, addressing a vulnerability that potentially exposed over 27 million websites. The flaw, originating from the plugin’s contact form feature, remained unnoticed and unpatched since 2016, posing a risk to any site using the plugin.
The vulnerability allowed any logged-in user on a website to access and read forms submitted by others, according to Jetpack engineer Jeremy Herve. While there is no evidence that this flaw has been exploited in the wild, Herve cautioned that the release of the update could prompt malicious actors to target unpatched sites. “We have no evidence that this vulnerability has been exploited in the wild. However, now that the update has been released, it is possible that someone will try to take advantage of it,” Herve noted in a public statement on Tuesday.
Jetpack has urged users to update to the latest version immediately and has released security patches for every version of the plugin dating back to 2016. Most websites using Jetpack have already been or will soon be automatically updated to secure versions, according to the company.
Jetpack, developed by Automattic—the same company behind WordPress—offers a range of security, performance, and marketing tools to help users enhance their websites. Among its features are real-time backups, automated malware scanning, spam protection, and site analytics. Jetpack has been a key plugin for WordPress users, providing essential site management services.
This isn’t the first time Jetpack has addressed long-standing security issues. Just last year, WordPress issued an automatic update to fix another critical flaw from a plugin version released in 2012, which could have allowed threat actors to manipulate files within the WordPress installation.
In related news, WordPress co-founder Matt Mullenweg recently revealed that the organization had taken control of a popular WP Engine plugin to address a security issue and remove commercial upsells. WP Engine, a third-party WordPress hosting service and competitor of Automattic, came under scrutiny from Mullenweg for not contributing enough to the open-source WordPress project.
Mullenweg emphasized WordPress’s right to modify or remove plugins without developer consent, sparking concerns among some developers who fear they could be sidelined. WordPress, since its inception in 2003, has been open-source and free, fostering a large developer community. However, these latest actions highlight ongoing tensions between WordPress and third-party developers over plugin management and open-source contributions.
Sponsored • TRJ Ads
Inquiries: contact@therealistjuggernaut.com
John, do you know if the current version of JP includes a pushed fix, or is there some process for updating the app?
Hello, Darryl! If the automatic updates are enabled, the current version of JP should include the fix. If not, you might need to check the release notes or manually update the app to ensure the fix is applied.
I wonder if this has anything to do with all the glitches and issues many people have been having with JetPack and WordPress recently?
You’re right, Willie! It most likely was for some of those issues, unfortunately.