WordPress Plugin Jetpack Patches Major Vulnerability Affecting 27 Million Sites

WordPress Plugin Jetpack Patches Major Vulnerability Affecting 27 Million Sites

October 15, 2024 at 01:00AM

Jetpack has released a security update to fix a critical vulnerability allowing logged-in users to access submitted forms on WordPress sites. The flaw, identified in an internal audit, affects versions since 2016. Jetpack collaborated with WordPress.org to ensure automatic updates. Meanwhile, WP Engine disputes WordPress’s control over its plugins.

### Meeting Takeaways

1. **Jetpack Security Update**:
– Jetpack has released a critical security update to address a vulnerability that allows logged-in users to view submitted forms from other users.
– This issue has existed since version 3.9.9 (2016) and was discovered during an internal security audit.

2. **Plugin Usage**:
– Jetpack is an all-in-one plugin by Automattic, used on 27 million WordPress sites, offering tools for site safety, performance, and traffic growth.

3. **Automatic Updates**:
– Collaborating with the WordPress.org Security Team, Jetpack has ensured automatic updates to secure versions on installed sites.

4. **Versions Affected**:
– The vulnerability has been resolved in 101 versions of Jetpack ranging from 3.9.10 up to version 13.9.1.

5. **Exploitation Risk**:
– Although there’s no evidence of exploitation historically, the public disclosure of the vulnerability heightens the risk for potential future abuse.

6. **Previous Security Issues**:
– Jetpack addressed a similar critical flaw in June 2023 that had existed since November 2012.

7. **Ongoing Dispute**:
– A dispute is ongoing between WordPress founder Matt Mullenweg and WP Engine regarding the Advanced Custom Fields (ACF) plugin, now forking it into Secure Custom Fields due to security concerns.

8. **Security Fixes**:
– Secure Custom Fields version 6.3.6.2 has been updated to address security issues.

9. **Public Safety and Response**:
– WordPress stated it acts in the interest of public safety, asserting its right to manage plugin access and security without developer consent, which WP Engine contested.

10. **Stay Informed**:
– For more updates, follow on Twitter and LinkedIn for exclusive content.

These takeaways capture the key points and updates from the meeting regarding security vulnerabilities, plugin management, and ongoing disputes in the WordPress community.

Full Article