October 14, 2024 at 03:37PM
Jetpack, a popular WordPress plugin, released a critical update to fix a vulnerability allowing logged-in users to access submitted forms from other visitors. The flaw affects all versions since 3.9.9, with fixes available for 101 versions. Users are urged to upgrade immediately, though no exploitation evidence has been found.
### Meeting Takeaways
1. **Critical Security Update**:
– Jetpack, a widely used WordPress plugin by Automattic, released a critical security update addressing a vulnerability that affected all versions since 3.9.9 (2016).
– The vulnerability allowed logged-in users to access forms submitted by other visitors.
2. **Scope of Impact**:
– Approximately 27 million websites use Jetpack, and the issue was found during an internal security audit.
– A total of 101 impacted versions of Jetpack have been identified.
3. **Versions Affected**:
– Fixes have been released for the following versions:
– 13.9.1 through 3.9.10, including multiple versions from 1.0.0 to 13.9.0.
4. **User Action Required**:
– Website owners and administrators should verify if their Jetpack plugin has updated automatically to a secure version. If not, they must perform a manual upgrade.
5. **Exploitation Risk**:
– Jetpack stated there is currently no evidence that the vulnerability has been exploited maliciously, but there is potential risk post-update release.
6. **No Alternatives**:
– There are no known workarounds for this vulnerability, making it imperative that users apply the updates as soon as possible.
7. **Further Information**:
– Technical specifics regarding this flaw and potential exploitation methods are not disclosed to give users time to implement the necessary updates.
### Action Items
– **Check Jetpack Version**: Confirm if the plugin is up-to-date.
– **Upgrade if Necessary**: Perform a manual upgrade to a patched version of Jetpack.
– **Monitor Updates**: Stay informed about any further updates or guidance from Automattic regarding Jetpack security.