Automattic, the company behind the popular open-source WordPress content management system, has taken action to address a critical vulnerability in the Jetpack WordPress plug-in by enforcing the installation of a security patch on millions of websites. The vulnerability was discovered by Automattic during an internal security audit and was found to be present in Jetpack since version 2.0, which was released in 2012.
This vulnerability could be used by authors on a site to manipulate any files in the WordPress installation. An extremely popular plug-in, Jetpack offers free security, performance, and website administration enhancements. These include site backups, brute-force assault defense, secure logins, malware scanning, and more.
The plug-in is maintained by Automattic and has more than 5 million active installations, making it a potentially lucrative target for cybercriminals. While there is currently no evidence that the vulnerability has been exploited, Automattic is urging website administrators to ensure their sites are secure by downloading the patch as soon as possible.
According to Jeremy Herve, an Automatic Developer Relations Engineer, the vulnerability is critical in nature, which means that it poses a significant security risk to websites that use Jetpack. Herve stated that this is why Automattic has released Jetpack 12.1.1, the security update that is being automatically distributed to all WordPress websites using the plug-in.
The update has already been rolled out to more than 4,130,000 sites using every version of Jetpack since 2.0. The security patch is aimed at fixing the existing vulnerability and improving the overall security of the plug-in. The Jetpack 12.1.1 includes a critical security update that is designed to address the issue.
Herve warned website administrators that even though there are currently no indications that the flaw has been utilized in attacks, they should still ensure their sites are secure. This is because hackers will likely learn about the specifics of the flaw and develop exploits that target unpatched WordPress websites.
“We have no evidence that this vulnerability has been exploited in the wild. However, now that the update has been released, someone may try to take advantage of this vulnerability. Please update your version of Jetpack as soon as possible to ensure the security of your site,” Herve said.
To help website administrators in this process, Automattic has worked closely with the WordPress security team to release patched versions of every Jetpack version since 2.0. Most websites have already been or will soon be automatically updated to a secured version.
In summary, if you are using the Jetpack WordPress plug-in, it is essential to ensure that you have patched your website to the latest version. The critical security update addresses a vulnerability that could be used to manipulate any files in the WordPress installation, posing a significant security risk. Although there is currently no evidence that the flaw has been exploited, unpatched WordPress websites are potential targets, and hackers may develop exploits that target them.