The popular and one of the most-used WordPress plugins, Jetpack recently addressed a critical security issue. Despite no active exploitation, WordPress force installed Jetpack plugin updates to websites to patch the vulnerability.
Jetpack WordPress Plugin Vulnerability
Reportedly, the Jetpack plugin had developed a severe security flaw that risked millions of WordPress websites. The news surfaced online as the Jetpack team rolled out a major security update for the plugin, urging users to update.
According to the recently published security bulletin, the plugin developers discovered a critical vulnerability affecting Jetpack API during an internal security audit. Notably, the vulnerability existed in the plugin since its 2012 version 2.0 – around a decade ago.
Fortunately, the flaw remained hidden from adversaries, avoiding any security threats to the websites. Nonetheless, if exploited, the vulnerability would allow an attacker with author roles on a website to manipulate any files in WordPress installation.
For now, the plugin team refrained from sharing any details about the vulnerability to avoid potential exploitation attempts. The changelog on the plugin’s official page merely lists a REST API issue that the team fixed to ensure proper validation of all files uploaded via the API.
Upon noticing the vulnerability, the Jetpack plugin team quickly developed a patch for different plugin versions. Eventually, they released 102 different versions on the same day to address the site requirements of different WordPress users.
WordPress Force Installs Plugin Updates
Jetpack currently boasts over 5 million active installations, hinting at the huge number of websites at risk due to plugin vulnerabilities. Nonetheless, to avoid such threats, the plugin team collaborated with the WordPress security team to ensure the automatic roll-out of the patches.
Consequently, WordPress started force-installing Jetpack updates accordingly on the websites to prevent potential attacks.
While Jetpack confirmed detecting no active exploitation of the flaw, the developers still urge users to ensure updating their websites with the latest releases.
On a side note, another WordPress plugin, Beautiful Cookie Consent Banner, also recently addressed a serious cross-site scripting (XSS) issue. Therefore, all WordPress admins must review their sites for proper updates to all installed plugins to avoid security risks.
Let us know your thoughts in the comments.