Jetpack Critical Vulnerability Puts Millions of WordPress Sites at Risk
Automattic Takes Swift Action, Forces Security Patch on Millions of WordPress Websites
In a proactive move to safeguard millions of websites, Automattic, the owner of WordPress.com, has initiated the automatic installation of a crucial security patch. Collaborating with the WordPress Security Team, this measure aims to address a critical vulnerability found in the widely popular Jetpack plug-in.
Jetpack, renowned for its array of features encompassing security, performance enhancements, and website management tools, including backups, brute-force attack protection, secure logins, and malware scanning, boasts an impressive user base of over 5 million active installations.
Developer Relations Engineer at Automattic, Jeremy Herve, highlighted the discovery of a vulnerability during an internal security audit. Since its release in 2012 with version 2.0, the API in Jetpack has harbored this flaw, granting authors on a site the ability to manipulate any files within the WordPress installation.
To address this critical issue, Jetpack 12.1.1, the security patch, is currently being automatically rolled out to all WordPress websites employing the plug-in. The deployment began today and has already secured more than 4,130,000 sites across various Jetpack versions, starting from 2.0.
JetPack install statistics (WordPress)
See Also: So you want to be a hacker?
Offensive Security, Bug Bounty Courses
The prompt release and subsequent installation of the security patch ensure that a significant majority of vulnerable websites have been effectively protected, while the remaining websites are scheduled for imminent patching.
While there is no evidence of the vulnerability being exploited in real-world attacks, Herve advised website administrators to fortify their sites as a precautionary measure. Given the likelihood of attackers leveraging the details of this flaw to develop exploits targeting unpatched WordPress websites, timely security updates are crucial.
Herve emphasized the urgency of updating Jetpack to the latest version to guarantee site security. Working in close collaboration with the WordPress.org Security Team, patched versions of Jetpack from 2.0 onward have been made available. Automattic encourages all users to promptly update their installations, with most websites already benefiting from automated updates or scheduled for imminent patching.
Trending: Recon Tool: Sniffer
This is not the first instance of WordPress employing automated deployment of security updates to address critical issues in plug-ins or WordPress installations. Samuel Wood, a WordPress developer, previously highlighted the organization’s proactive approach to push security releases for plug-ins multiple times since the release of WordPress 3.7 in October 2020.
Are u a security researcher? Or a company that writes articles or write ups about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing?
If you want to express your idea in an article contact us here for a quote: [email protected]
Source: bleepingcomputer.com