WordPress Releases Automatic Update to Fix Critical Jetpack Plugin Vulnerability WordPress has taken immediate action to address a critical flaw in the widely used Jetpack plugin, which is installed on over five million websites.
The automatic update was prompted by the discovery of a vulnerability during an internal security audit. The flaw stems from an API present in Jetpack since version 2.0, which was released in November 2012.
Jetpack stated in an advisory that this vulnerability could allow site authors to manipulate any files within the WordPress installation.
To rectify the issue, Jetpack has released 102 new versions of the plugin. Although there is currently no evidence of exploitation in the wild, it is not uncommon for threat actors to exploit vulnerabilities in popular WordPress plugins for malicious purposes.
This is not the first time that significant security weaknesses in Jetpack have necessitated the forced installation of patches by WordPress.
In November 2019, Jetpack released version 7.9.1 to address a defect related to how the plugin handled embed code, a vulnerability that had persisted since July 2017 (version 5.1).
In addition to the Jetpack vulnerability, security company Patchstack recently disclosed a flaw in the premium Gravity Forms plugin. The vulnerability (CVE-2023-28782), present in all versions up to 2.7.3, could potentially allow an unauthorized user to inject arbitrary PHP code. This issue has been resolved in version 2.7.4, which became available on April 11, 2023.