The Jetpack WordPress plugin is receiving a security update. The company behind the WordPress content management system has assured that the security vulnerability is not abused, yet.
A highly popular WordPress plugin is receiving a security update following a vulnerability that an ethical hacker reported. The Jetpack WordPress plugin has over 5 million installs.
Automattic force-installs security patch for JetPack plugin:
Automattic, the company behind the WordPress content management system, is force-deploying a security update for the Jetpack plugin. The update should arrive and install automatically with no user intervention needed.
The plugin has more than 5 million active installations. Automattic, the company behind WordPress, develops and maintains the popular plugin.
— Allaboutclait (@allaboutclait) June 3, 2021
Jetpack provides free security, performance, and website management features. These include brute-force attack protection, site backups, secure logins, and malware scanning.
The security vulnerability that Automattic is patching, exists in the Carousel feature and its option to display comments for each image. An ethical hacker called nguyenhg_vcs first identified the bug and reported the same to the company.
As the patching process is in its initial stages, Automattic hasn’t offered any specific details about the security vulnerability within the WordPress plugin. However, reports indicate the company added an authorization logic to plug the loophole.
— Tony Perez (@perezbox) June 3, 2021
Automattic is force installing patched versions of the Jetpack plugin on all websites that have any older versions. The company has indicated that most sites have received the patched version of Jetpack.
There are dynamically update statistics that confirm Automattic has pushed the security updates to most, if not all, exposed websites.
WordPress plugin vulnerability not yet exposed or exploited in the wild, assures Automattic:
Automattic has assured that the vulnerability within Jetpack isn’t common knowledge, yet. “However, now that the update has been released, it is only a matter of time before someone tries to take advantage of this vulnerability,” cautioned Automattic.
The company has indicated the Jetpack security bug impacts all versions starting with the Jetpack 2.0 release and going back to November 2012.
We released a security update for Jetpack that fixes a vulnerability in the plugin, so if you're not using the version with the fix, you will see that message in Scan. You can check the version number against the list here to see if you're up to date: https://t.co/OhgYtVdmOV
— Jetpack (@jetpack) June 3, 2021
The force-install procedure is not new to Automattic or WordPress. The company has previously used the automated deployment of security updates to patch vulnerable plugins or WordPress installations.
It seems hackers and malicious code writers are actively going after WordPress and websites that have a lot of content. It seems manipulating data, artificially boosting SEO rankings, and seeking out security vulnerabilities have become a very lucrative investment.