One of the most popular WordPress site optimization plugins, Jetpack, carried a major vulnerability for years, which allowed people to access other people’s submitted content. The company that manages the plugin, Automattic, discovered the vulnerability during an internal audit recently, and released fixes for all vulnerable versions.
Users are advised to apply the fix immediately, since there is no workaround and since crooks will probably now try to take advantage of the bug.
In a security advisory published together with the patches, Automattic said that the vulnerability allowed “any logged in users on a site to read forms submitted by visitors on the site.”
IntelBroker
Multiple versions were said to be affected, with the earliest one being released back in 2016, “During an internal security audit, we found a vulnerability with the Contact Form feature in Jetpack ever since version 3.9.9, released in 2016,” Automattic said.
In total, 101 versions are affected. You can find the entire list here.
The company also said that there is, so far, no evidence that malicious actors discovered and abused the flaw in the past. However, now that the cat is out of the bag, it’s only a matter of time before miscreants start scanning for vulnerable WordPress sites. Therefore, applying the patch is paramount. There is no workaround, and users are advised to first double-check if their website updated automatically (since some do).
The technical details of the flaw will be released once Automattic determines that the majority of users migrated to the fixed version.
Jetpack for WordPress is a multifunctional plugin that enhances website performance, security, and management. It comes with tools for SEO, social media integration, and e-commerce support, helping its users optimize the sites for user experience and visibility. The plugin also comes with customizable themes and advanced search features.
Via BleepingComputer
Thousands of WordPress sites potentially at risk from plugin security flawHere’s a list of the best firewalls todayThese are the best endpoint protection tools right now