"Critical Vulnerability Patched in 101 Releases of WordPress Plugin Jetpack"

Automattic recently announced patches for 101 versions of the popular WordPress security plugin Jetpack to resolve a critical severity vulnerability introduced in 2016.  The bug, which was discovered internally and does not have a CVE identifier yet, was introduced in Jetpack version 3.9.9 and affects all subsequent releases.  The company noted that during an internal security audit, they found a vulnerability with the Contact Form feature in Jetpack ever since version 3.9.9, released in 2016.  This vulnerability could be used by any logged in users on a site to read forms submitted by visitors on the site.  To ensure that all WordPress websites using Jetpack are protected, the team decided to release a patch for each iteration of the plugin impacted by the bug, which amounted to a total of 101 updates being released.  Specifically, patches were released for all Jetpack versions between 3.9 and 13.9. The company has advised website administrators to check their Jetpack version and update it to a patched release as soon as possible where necessary.  If the website already runs one of the patched versions, it was automatically updated, and no additional action is necessary.  Automattic says there is no evidence that the vulnerability has been exploited in attacks.  Jetpack is currently installed on more than four million websites, which makes it a tempting target for malicious actors. 

 

SecurityWeek reports: "Critical Vulnerability Patched in 101 Releases of WordPress Plugin Jetpack"

Submitted by Adam Ekwall on