With the assistance of the WordPress Security Team, Automat, the owner of WordPress.com, has begun enforcing the installation of a security patch on millions of websites in order to fix a serious vulnerability in the Jetpack plug-in.
A very well-liked plug-in called Jetpack offers free security, performance, and administration enhancements for websites, including site backups, defense against brute-force attacks, secure logins, malware scanning, and more. Over 5 million active installs of the Automattic-maintained plug-in are listed in the official WordPress plug-in repository.
According to Automattic Developer Relations Engineer Jeremy Herve, “during an internal security audit, we found a vulnerability with the API available in Jetpack since version 2.0, released in 2012.”
“Authors on a website could manipulate any files in the WordPress installation using this vulnerability.”
Since it began rolling out today, Jetpack 12.1.1, the security patch that has been automatically applied to all WordPress websites utilizing the plug-in, has been installed on more than 4,130,000 sites using every version of Jetpack since 2.0.
This indicates that the majority of susceptible websites have already undergone an automatic update to the most recent version of security, and the others will follow suit soon.
Herve also advised website administrators to make sure their sites are secure because even though there are no indications that the bug has been utilized in attacks, hackers will probably learn about it and develop exploits that target unpatched WordPress websites.
“We have no proof that this vulnerability has been used in the wild as an exploit. But now that the update has been made available, it’s probable that someone may attempt to exploit this weakness,” Herve stated.
“In order to maintain the security of your website, please update your version of Jetpack as soon as possible. We have carefully collaborated with the WordPress.org Security Team to issue patched versions of every version of Jetpack since 2.0 in order to assist you in this process. The majority of websites have already undergone this automatic update or will soon.
WordPress has previously employed automated security update distribution to fix important bugs in plug-ins or WordPress installations.
Subscribe to this blog and follow us on facebook