Critical Jetpack Plugin Vulnerability Patched on 5M Websites
Automattic, the company responsible for the open-source WordPress content management system, has initiated the mandatory installation of a security patch on numerous websites. This action aims to rectify a critical vulnerability found in the Jetpack plugin, which could potentially give a threat actor the ability to manipulate any file on a WordPress installation.
The vulnerability in question has been affecting all versions of the Jetpack WordPress plugin since Jetpack 2.0, which was released in 2012. Jetpack is a widely-used plugin that offers a suite of security features, including malware scanning, real-time backups, spam protection, and defense against brute-force attacks.
With over five million active installations, it ranks among the most popular plugins for WordPress. The security update, introduced on Tuesday, aims to address the found vulnerability and ensure the continued protection of Jetpack users.
According to Automattic, the vulnerability was discovered within the Jetpack plugin's API during an internal security audit. This vulnerability can enable site authors to “manipulate any files in the WordPress installation.”
The patch, Jetpack 12.1.1, is currently being automatically rolled out to all WordPress websites utilizing the Jetpack plugin. This patch, which began its deployment yesterday, has already been successfully installed on close to 5 million sites, meaning almost all affected sites have been patched.
Automattic has stated that there is no evidence of the vulnerability being exploited in malicious attacks. Nonetheless, it is crucial to acknowledge that vulnerabilities in popular WordPress plugins often attract the attention of cybercriminals due to the potential for significant damage if successfully exploited.
To mitigate the risk, site owners are strongly advised to update their Jetpack installations to the latest version. Automattic has made available a comprehensive list of the 102 plugin versions released this week for reference.