Hey there, WordPress enthusiasts! It’s crucial to update your websites with the latest Jetpack release to address a critical vulnerability that could expose your site data. Although there have been no reported exploitation attempts, it’s better to be safe than sorry, so make sure to patch your sites promptly.
Uncovering the Jetpack Vulnerability Impacting WordPress Websites
The Jetpack plugin team recently issued an advisory highlighting a serious security flaw that had been lingering for several years. This flaw could potentially enable an authenticated attacker to access sensitive site data.
The vulnerability was specifically found within the plugin’s “Contact Form” feature. An attacker who is authenticated and logged into the site could exploit this flaw to gain access to forms submitted by other users, posing a significant security risk for both the website and its users.
Surprisingly, this vulnerability went undetected for years, originating with the Contact Forms feature introduced in version 3.9.9 back in 2016. This means that the threat persisted for 8 years, leaving countless websites potentially vulnerable.
Fortunately, no active exploitation attempts have been identified by the developers. Nevertheless, now that the vulnerability details are public, all users are strongly advised to update their sites with the latest Jetpack plugin release. The advisory lists all patched versions for easy reference.
Here is a complete list of the 101 different Jetpack versions released today:
13.9.1, 13.8.2, 13.7.1, and so on…
This isn’t the first time Jetpack has dealt with a long-standing vulnerability. In June 2023, they addressed a vulnerability that had been present since 2012, allowing authenticated attackers with author roles to manipulate WordPress installation files. It took approximately 11 years for this issue to be resolved, thanks to an internal audit that caught the vulnerability before it could be exploited.
We’d love to hear your thoughts in the comments below!
