Automattic, the owner of WordPress.com, has taken decisive action to address a critical vulnerability in the popular Jetpack plugin. With over 5 million active installations, Jetpack offers a range of enhancements, including security features, performance improvements, and website management tools.
During an internal security audit, a vulnerability was discovered in the Jetpack API, which has been present since the plugin’s version 2.0 release in 2012. This vulnerability allows authors on a website to manipulate files within the WordPress installation, posing a significant risk.
To mitigate this issue, Automattic, in collaboration with the WordPress Security Team, has initiated the forced installation of a security patch. The patch, named Jetpack 12.1.1, is being automatically rolled out to all WordPress websites using the Jetpack plugin. As of today, it has already been installed on over 4,130,000 sites that have Jetpack installed, regardless of the specific version.
The proactive deployment of the security patch ensures that the majority of vulnerable websites have already been updated to the latest secure version, while the remaining sites will be patched shortly.
Jeremy Herve, Automattic’s Developer Relations Engineer, emphasized that there have been no indications of the vulnerability being exploited in attacks so far. However, he cautioned website administrators to ensure their sites are secure since attackers may capitalize on the vulnerability’s details and create exploits to target unpatched WordPress websites.
Note: How to install WordPress on Localhost
Herve urged website owners to promptly update their version of Jetpack to safeguard their sites. Automattic has worked closely with the WordPress.org Security Team to release patched versions for all Jetpack versions since 2.0. Most websites have already been automatically updated or will be soon, to a secured version.
This is not the first time WordPress has employed automated deployment of security updates to address critical issues in plugins and WordPress installations. The organization has previously used this approach to push security releases for plugins since the release of WordPress 3.7 in October 2020.
It is crucial for WordPress website owners to prioritize the timely update of plugins and themes to ensure the security and integrity of their sites. By keeping their installations up to date, users can effectively mitigate potential vulnerabilities and protect their websites from malicious exploits.