Developers of Jetpack WordPress plugin has recently alerted its user base to a critical security vulnerability, CVE-2023-2996. Jetpack, a one-stop solution to bolster the security, performance, and website management of WordPress sites, enjoys a user base exceeding five million active installations.
The vulnerability affects Jetpack versions before 12.1.1, with the root cause linked to an unvalidated file upload mechanism that allows a complete takeover.
In response to this alarming revelation, “Automattic”, the developers of the plugin promptly rolled out a security patch, Jetpack 12.1.1. This patch is currently being automatically applied to all WordPress websites using the plugin, a measure designed to shield websites from potential exploitation.
Considering the serious potential implications, all Jetpack users are strongly urged to update their version of Jetpack to 12.1.1 or later as soon as possible, to ensure the ongoing security of their WordPress sites. As a commitment to their users, Automattic has collaborated with the WordPress.org Security Team to release patched versions of every iteration of Jetpack since 2.0.
To ensure that users are given ample time to update, Automattic will publicly display the PoC on July 4, 2023. This strategy provides a buffer for users to update their Jetpack plugin and eliminate the CVE-2023-2996 vulnerability before details of its exploitation become widely known.