WordPress developers forcibly update Jetpack plugin on 5 million sites

Automattic, the company behind the WordPress CMS, has forcibly updated the popular Jetpack plugin on the 5,000,000 sites it is installed on.

Jetpack provides its users with free features for security, performance and site management, including brute force attack protection, backups, secure login and malware scanning. The plugin is created and maintained by Automattic itself, which also develops WordPress.

Jetpack recently found a vulnerability hiding in the Carousel function, thanks to which it is possible to display comments for each image.

We found a vulnerability in the Carousel feature and its option to display comments for each image. We have no evidence that this vulnerability has been exploited in the wild. But we consequently invite you to update your version of Jetpack as soon as possible. To help you in this process, we worked with the Security Team to release patched versions of every version of Jetpack since 2.0. Most websites have been or will soon be automatically updated to a secured version.Automattic developers report.

No details about this bug have been reported yet, but it is known that Automattic has solved the problem by changing the authorization logic.

WordPress Jetpack plugin

The company said in a statement that the bug affects all versions of the plugin since Jetpack 2.0, released in November 2012. Jetpack developers add that they are not aware of the exploitation of this problem by hackers in real attacks.

But now that the update has been released, it’s only a matter of time before someone tries to exploit this vulnerability.the developers warn.

Since the specialists have prepared and force-distribute patches for all versions of the plugin since version 2.0, the download statistics available on WordPress Plugins now confirm that most installations have already received updates.

This is not the first time Automattic has released mandatory security updates to fix plugins or the CMS itself.

WordPress core developer Samuel Wood has previously said that the feature has been used “many times”, although he did not elaborate on the details. In 2015, another WordPress developer stated that the Force Plugin Update feature has only been used five times since its introduction in 2013.

Let me remind you that we wrote that Hackers exploit vulnerability in Easy WP SMTP WordPress plugin to reset admin passwords, as well as that Hackers compete for vulnerable WordPress sites.

User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

Daniel Zimmermann

Daniel Zimmermann has been writing on security and malware subjects for many years and has been working in the security industry for over 10 years. Daniel was educated at the Saarland University in Saarbrücken, Germany and currently lives in New York.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.

Back to top button