WordPress critical Jetpack plugin Vulnerability
Share this:
WordPress is automatically updating over five million installations of its Jetpack plugin after a critical vulnerability was discovered in it.
Automattic, which also counts Jetpack as one of its subsidiaries, began the update yesterday to bring users up to date with the new version, 12.1.1.
Jetpack is designed to offer users a range of security features, including automated backups and one-click restores, a web application firewall, malware scans, and brute-force attack protection. These come alongside capabilities for optimizing and customizing sites and gaining visibility into performance.
During an internal security audit, we found a vulnerability with the API available in Jetpack since version 2.0, released in 2012. This vulnerability could be used by authors on a site to manipulate any files in the WordPress installation.
A total of 102 Jetpack versions were updated this week, and the patches were automatically rolled out to users. Over the past two days, the plugin has amassed close to five million downloads, meaning that almost all impacted websites have received the update.
According to Automattic, there is no evidence that the vulnerability has been exploited in malicious attacks. However, vulnerabilities in popular WordPress plugins are known to represent an attractive target for cybercriminals, given the potential damage successful exploitations could cause.
Owners are advised to ensure that their Jetpack installations are up to date.
