Jetpack is a hugely popular WordPress plugin that provides a wide range of features, including security features, to nearly 5 million websites, but after discovering a bug that has been lurking under the radar since 2012, Jetpack has become a critical security threat. I received an update.
Maintainer of Jetpack, Automattic, announced On Tuesday, the company announced that it has been working closely with the WordPress security team to automatically patch all versions of Jetpack since 2.0.
This security hole is in Jetpack’s API and has existed since version 2.0 was released in 2012, over a decade ago.
The vulnerability, which could allow site authors to manipulate files within WordPress installations, was discovered during an internal security audit.
Exploitation of this flaw could allow malicious hackers to modify the content on the website, compromising the security of other users and website visitors.
The good news is that Automattic said it has seen no evidence of this vulnerability being used in malicious attacks. However, that does not guarantee that security holes have not been exploited.
Rather, now that the issue is public, cybercriminals are likely to make even more determined attempts to exploit this flaw, ensuring that all vulnerable WordPress-powered websites run a secure version of Jetpack. It is emphasized that
Luckily, WordPress has a pretty robust system in place to automatically push critical security updates even in these situations, and most of the at-risk WordPress-powered websites are: It may have already automatically updated to a safe version of the Jetpack plugin.
Jetpack, like WordPress, is open source. This means that anyone can check the source code, and it’s often argued that one of the benefits of open source is that security holes are more likely to be found.
However, this security vulnerability went unnoticed for over a decade.
Just because anyone can check open source code for critical security vulnerabilities doesn’t mean everyone can.
Editor’s Note: The opinions expressed in this guest author article are those of the contributor only and do not necessarily reflect those of Tripwire.