Jetpack for WordPress: Why You Should Update Now

Jetpack For Wordpress

On May 27, Jetpack for WordPress announced that they were releasing a critical security update to their immensely popular plugin, which brings tons of features to WordPress. According to WordPress.org, Jetpack is currently installed on over 1 million sites, with more than 25 million lifetime downloads.

Jetpack for WordPress 4.0.3: Critical Security Update

According to Carolyn Sonnek of Jetpack, “We found a vulnerability in the way that some Jetpack shortcodes are processed. This bug has existed since Jetpack 2.0, released in November 2012.”.  Wait a minute…did she just say November 2012? It’s remarkable that this flaw has never been exploited in the wild, but now that this news is out, you can bet that the hackers are going to have a field day.

Jetpack Stats by WordPress

Current statistics of active users by version and lifetime downloads.

The good news is that if you have been using or are currently using Akismet for spam protection, you are safe from this exploit. Also, sites using VaultPress 1.8.3 are protected from this exploit. However, Carolyn recommends that you still should update Jetpack to it’s latest version.

Patching Jetpack

According to Jetpack, they have patched all the vulnerable versions of the plugin; 2.0.7, 2.1.5, 2.2.8, 2.3.8, 2.4.5, 2.5.3, 2.6.4, 2.7.3, 2.8.3, 2.9.4, 3.0.4, 3.1.3, 3.2.3, 3.3.4, 3.4.4, 3.5.4, 3.6.2, 3.7.3, 3.8.3, 3.9.7, and 4.0.3. Downloads for each branch can be found here.

Sucuri Security Disclosure

Carolyn also thanked Marc-Alexandre Months of Sucuri for researching, and later, responsibly disclosing this issue. According to Marc-Alexandre, the issue deals with a stored cross-site scripting (XSS) vulnerability that can be easily exploited remotely via wp comments. He goes on recommend that everyone using Jetpack update or patch their versions immediately.

The security disclosure reveals that since it is a Cross-Site Scripting (XSS) vulnerability it could allow an attacker to hijack administrator accounts, inject SEO spam to the affected page, and redirect visitors to malicious websites.

If you would like us to help you with this update, please feel free to contact us or request a quote and one of our WordPress security experts will get back to you right away. You may also call us at +63 44 769 4023 or Skype us at dcgws_internet_solutions.

Leave a Reply

Your email address will not be published. Required fields are marked *