Jetpack, a widely used WordPress plugin, has forced to install an urgent update. To fix a flaw that put the security of over five million websites in jeopardy.
According to Bleeping Computer, a user known as nguyenhg vcs discovered a security flaw in the way Jetpack handles comments for various images. When the threat was discovered, Automattic (the company that created and manages both WordPress. One of the world’s most popular content management systems. And Jetpack, a plugin that provides many benefits, including additional security, improved performance. And various management features) prepared a security update and decided to push it out to everyone due to the severity of the threat.
Approximately five million websites have been updated so far, with the downloads statistics page indicating that almost all of the affected sites have been secured. We don’t know what the bug allows hackers to do with the information. But we do know that Automattic fixed it by adding more authorization logic.
It mentioned that versions dating back almost a decade affected. As the patch only addresses the issue with Jetpack 2.0.
There is no evidence of exploits.
According to Automattic, there is no evidence of the flaw exploit in the wild. But now that it’s out in the open, it could very well be.
“It’s only a matter of time now that the update has been released. Before someone tries to exploit this vulnerability,” the developers said.
“We worked with the WordPress.org Security Team to release patched versions of every version of Jetpack since 2.0 to assist you in this process,” Automattic said. “Most websites have been automatically updated to a secure version, or will be soon.”
Forced updates aren’t popular among webmasters, who frequently complain about the problems they cause with the site’s layout and performance. WordPress lead developer Andrew Nacin said the company only did it a handful of times. When he addressed the issue on Twitter years ago.
In 2019, the developers pushed a critical security update to Jetpack users. Fixing a bug in how it processed embed code, according to Bleeping Computer.
You may also like: