Jetpack is one of the most popular WordPress plugins, it provides free security, performance, and site management features such as secure logins, malware scanning, site backups, and brute-force attack protection.
Currently, the plugin has more than five million active users, and it was developed and is maintained by Automattic, the WordPress parent company.
The vulnerability hasn’t been exploited yet!
The vulnerability was found by Adham Sadaqah, who was processing Jetpack embed code. He responsibly disclosed the security issue to the company.
Although the company hasn’t disclosed any detail about the flaw to protect its users. But the company has confirmed that the bug impacts all Jetpack version starting from 5.1. However, the good news is that Jetpack developers haven’t found any evidence of the vulnerability being exploited.
A new patch has been released:
Jetpack has released a critical 7.9.1 security update. But it is only a matter of time that someone reverses engineer the patch and exploit the vulnerability. The development team has also worked with the WordPress.org Security Team to release patches for Jetpack 5.1 and after to automatically update the patch.
Millions of users have already patched the flaw!
According to the WordPress Plugins site, four million out of five million have already patched the vulnerability. So, anyone who isn’t running on Jetpack 7.9.1 should update the patch immediately otherwise you are exposing yourself to potential scammers.
Security flaws aren’t new for Jetpack!
During the internal audit of the Contact Form block in December 2018, the team found a serious vulnerability which was updated later on. In 2016, another vulnerability was found in Jetpack shortcodes, which was patched in May of that year.
Last year, hackers found a way to install backdoor plugins on WordPress websites exposing many WordPress.com accounts and the Jetpack plugin’s remote management feature.