Automattic, the maker of the Jetpack plug-in for WordPress sites, is force-updating the plug-in to address a critical bug – affecting over 5 million sites.
Automattic said the bug was existing in Jetpack since 2012 but was not exploited by anyone till now. Though all the WordPress sites bearing this plugin we’re updated by now, the maker warns site admins to manually do so if missed in this update process.
API Bug in Jetpack Plug-in
Automattic, the maker and maintainer of the popular content management system WordPress is forced to install an update to its Jetpack plug-in – after finding a critical bug in its internal audit.
To the unknown, Jetpack is a free WordPress plug-in for security, performance, and other site management-related features. Made by Automattic, this plug-in has had over 5 million installs till now. Thus, any issue with it will affect millions of sites relying on it.
Gladly, this didn’t happen from the recent bug noted by Automattic, where the company said Jetpack plug-ins since 2012 (v2.0 onwards) are infected with an API vulnerability – that could let site authors manipulate any files in the WordPress installation.
Well, Automattic has force updated all the Jetpack plug-ins remotely to secure the sites relying on it, as per a statement from their Developer Relations Engineer, Jeremy Herve. The company has already patched 4,130,000 sites using this plug-in, with the rest being done soon.
If you’re a site admin using the Jetpack plug-in and missed this automatic update by any chance, you should manually update it to v12.1.1. Though Automattic found no abuse of this bug in the wild yet, it warns of attackers forming exploits for hitting unpatched WordPress websites. Thus, it’s seriously advised to update the Jetpack plug-in as soon as possible.
This isn’t the first time Automattic has automatically updated the WordPress sites but has been doing with several plug-ins since WordPress 3.7.
