Automattic, the company behind WordPress, has initiated the force installation of a security patch to address a critical vulnerability in the Jetpack WordPress plugin. Jetpack is a widely used plugin offering security, performance, and website management enhancements for WordPress sites. With over 5 million active installations, it provides features such as site backups, brute-force attack protection, secure logins, and malware scanning.
The vulnerability in question was discovered during an internal security audit and affects the Jetpack API available since version 2.0 released in 2012. It could potentially allow authors to manipulate files within a WordPress installation.
The security patch, Jetpack 12.1.1, has begun rolling out automatically to all WordPress websites using the Jetpack plugin. Already installed on more than 4,130,000 sites running all versions of Jetpack since 2.0, the patch ensures that most vulnerable websites have already been updated, with the remaining sites expected to be patched soon.
While there is no evidence of the vulnerability being exploited, website administrators are advised to secure their sites, as attackers may attempt to exploit the flaw in unpatched WordPress websites.
Automattic has previously employed automated deployment of security updates to address critical issues in WordPress plugins and installations. The company’s proactive approach to pushing security releases for plugins has been ongoing since the release of WordPress 3.7. Website owners are urged to update their version of Jetpack promptly to ensure the security of their sites.
Automattic collaborated with the WordPress.org Security Team to release patched versions of all Jetpack versions since 2.0, facilitating the update process.
Overall, Automattic is taking swift action to mitigate the security risk posed by the vulnerability in the Jetpack WordPress plugin. By automatically rolling out the security patch, the majority of vulnerable websites have already been protected.
Website administrators are strongly advised to update their Jetpack version promptly to safeguard their sites from potential exploits.
