Jetpack 13.9.1 Patches a Critical Security Flaw

The popular WordPress plugin Jetpack has released a critical update (13.9.1) following the discovery of a security vulnerability that has left sites exposed for nearly eight years. The vulnerability affected Jetpack’s Contact Form feature, allowing any logged-in user on a site, regardless of their role, to access data from submitted forms. Jetpack’s team worked closely with WordPress.org to ensure that all versions dating back to 3.9.9 (released in 2016) were patched.

The flaw was detected during Jetpack’s recent internal security review, which prompted an immediate response. Collaborating with the WordPress.org Security Team, Jetpack issued patches for more than 100 previous versions of the plugin, preventing unauthorized data access and ensuring secure site performance moving forward.

Although there’s no evidence that the vulnerability has been exploited in the wild, Jetpack cautioned that “now that the update has been released, it is possible that someone may attempt to exploit this vulnerability.” The vulnerability, impacting versions before 13.9.1, has been designated a Common Vulnerability Scoring System (CVSS) score of 4.3, a moderate rating that still highlights the need for urgent action.

The Wordfence team, a leading WordPress security provider, emphasized that the vulnerability allows “authenticated attackers with subscriber-level access and above to read all Jetpack form submissions on the site.” Wordfence noted that it had identified a missing capability check in the Contact_Form_Endpoint class, which opened up potential access to sensitive information.

WordPress security provider WPScan, which initially reported the vulnerability, has announced plans to publish a Proof of Concept (PoC) on November 11, 2024, giving site owners a window to secure their sites before the exploit details become public.

The Jetpack team quickly reassured users, saying, “We will continue to regularly audit all aspects of our codebase to ensure that your Jetpack site remains safe.” WordPress.org has already implemented automatic updates for many users, although manual updates may be required for some sites.

The plugin team expressed gratitude to its community, acknowledging the “extra workload” that this update may impose on administrators and developers. However, the company has maintained its commitment to code integrity and site security, a message that has resonated positively with Jetpack’s vast user base.

This incident serves as a reminder of the importance of regular audits and quick response times within the WordPress ecosystem. As one of the most widely used plugins, Jetpack’s swift handling of the situation underscores the ongoing need for proactive measures to protect site data and user privacy. With over 5 million active installations, Jetpack’s security practices set a benchmark for plugin developers aiming to maintain trust within the community.

For users unsure of how to verify their Jetpack version, updating is straightforward:

Select Plugins > Installed Plugins. If Jetpack has not already been updated, an option to “Update Now” will appear. Ensure that the plugin reflects version 13.9.1 or later, signaling a secure version.

With Proof of Concept details set to release in a few weeks, now is the best time to secure your site against potential vulnerabilities. This proactive update from Jetpack signals its ongoing commitment to securing the platform for all users.

About

Proseeder is a leading digital marketing agency dedicated to helping businesses grow and thrive in the digital landscape. With a focus on innovative strategies, data-driven insights, and personalized solutions, we partner with our clients to create impactful online experiences that drive real results. Let us help you unlock your brand’s full potential.

© 2024 Proseeder. All Rights Reserved