WordPress Automatically Updated ‘Jetpack Plugin’ Installed Over 5 Million Sites To Fixed Vulnerability
Jetpack is a popular WordPress plug-in that provides free security, performance, and website management features, including brute-force attack protection, site backups, secure logins, and malware scanning.
We released a security update for Jetpack that fixes a vulnerability in the plugin, so if you're not using the version with the fix, you will see that message in Scan. You can check the version number against the list here to see if you're up to date: https://t.co/OhgYtVdmOV— Jetpack (@jetpack) June 3, 2021
The vulnerability was found in the Carousel feature and its option to display comments for each image, with nguyenhg_vcs being the one credited for responsibly disclosing the security bug. The announcement made by Automattic says the bug impacts all versions starting with the Jetpack 2.0 release and going back to November 2012.
The Jetpack development team added that it found no evidence that the vulnerability has been exploited in the wild.
“However, now that the update has been released, it is only a matter of time before someone tries to take advantage of this vulnerability,” the developers warn.
Automattic is force installing patched versions on all websites running vulnerable Jetpack versions, with most sites already having been updated.
“To help you in this process, we worked with the WordPress.org Security Team to release patched versions of every version of Jetpack since 2.0,” Automattic said. “Most websites have been or will soon be automatically updated to a secured version.”
Currently, download stats available on the WordPress Plugins site confirm that the security updates have been pushed to most if not all exposed websites.
This is not the first time Automattic used the automated deployment of security updates to patch vulnerable plug-ins or WordPress installations.