Critical Security Vulnerability in Jetpack Plugin Affects Millions of WordPress Websites

Jetpack, a popular WordPress plugin developed by Automattic, has released a critical security update today, addressing a vulnerability that has the potential to impact millions of websites. Installed on over 27 million sites worldwide, Jetpack is a staple tool for enhancing website functionality, security, and performance.

Earlier today, version 13.9.1 of Jetpack was released, containing a critical security patch. According to the security bulletin, “While we have no evidence that this vulnerability has been exploited yet, please update your version of Jetpack as soon as possible to ensure the security of your site.” Jetpack users are urged to act immediately, as the vulnerability, though not yet exploited, presents a significant risk now that details have been disclosed.

The vulnerability, which has existed since version 3.9.9, relates to Jetpack’s Contact Form feature. This flaw could potentially allow logged-in users to read forms submitted by site visitors, posing a privacy and data security threat. Jetpack stated that they discovered this issue during an internal security audit.

To mitigate this issue, Automattic has collaborated closely with the WordPress.org Security Team to release patched versions for every iteration of Jetpack since 3.9.9. Jetpack confirmed, “Most websites have been or will soon be automatically updated to a secured version.” They also provided a comprehensive list of 101 different versions of Jetpack that were patched today, ensuring that no user remains vulnerable.

13.9.1, 13.8.2, 13.7.1, 13.6.1, 13.5.1, 13.4.4, 13.3.2, 13.2.3, 13.1.4, 13.0.1, 12.9.4, 12.8.2, 12.7.2, 12.6.3, 12.5.1, 12.4.1, 12.3.1, 12.2.2, 12.1.2, 12.0.2, 11.9.3, 11.8.6, 11.7.3, 11.6.2, 11.5.3, 11.4.2, 11.3.4, 11.2.2, 11.1.4, 11.0.2, 10.9.3, 10.8.2, 10.7.2, 10.6.2, 10.5.3, 10.4.2, 10.3.2, 10.2.3, 10.1.2, 10.0.2, 9.9.3, 9.8.3, 9.7.3, 9.6.4, 9.5.5, 9.4.4, 9.3.5, 9.2.4, 9.1.3, 9.0.5, 8.9.4, 8.8.5, 8.7.4, 8.6.4, 8.5.3, 8.4.5, 8.3.3, 8.2.6, 8.1.4, 8.0.3, 7.9.4, 7.8.4, 7.7.6, 7.6.4, 7.5.7, 7.4.5, 7.3.5, 7.2.5, 7.1.5, 7.0.5, 6.9.4, 6.8.5, 6.7.4, 6.6.5, 6.5.4, 6.4.6, 6.3.7, 6.2.5, 6.1.5, 6.0.4, 5.9.4, 5.8.4, 5.7.5, 5.6.5, 5.5.5, 5.4.4, 5.3.4, 5.2.5, 5.1.4, 5.0.3, 4.9.3, 4.8.5, 4.7.4, 4.6.3, 4.5.3, 4.4.5, 4.3.5, 4.2.5, 4.1.4, 4.0.7, 3.9.10.

Although there is no evidence that this vulnerability has been exploited in the wild, Automattic acknowledged the risk, cautioning that “now that the update has been released, it is possible that someone will try to take advantage of this vulnerability.” This emphasizes the importance of updating immediately to secure affected websites.

Website owners using Jetpack are strongly urged to confirm they are running the latest version to ensure their site is protected. Automattic has apologized for any inconvenience caused by this vulnerability and reiterated its commitment to ongoing security audits.

“We will continue to regularly audit all aspects of our codebase to ensure that your Jetpack site remains safe,” the company stated.

Related Posts:

• A Critical Vulnerability in the Jetpack WordPress Plugin
• Attacker find new way to install Backdoored Plugins on WordPress sites
• WordPress Issues Urgent Security Update to Patch Multiple Vulnerabilities