WordPress.com owner Automat has started force installing a security patch on millions of websites today with the help of the WordPress Security Team to address a critical vulnerability in the Jetpack plug-in.
Jetpack is an immensely popular plug-in that provides free security, performance, and website management improvements, including site backups, brute-force attack protection, secure logins, malware scanning, and more.
According to the official WordPress plug-in repository, the Automattic-maintained plug-in has over 5 million active installations.
"During an internal security audit, we found a vulnerability with the API available in Jetpack since version 2.0, released in 2012," Automattic Developer Relations Engineer Jeremy Herve said.
"This vulnerability could be used by authors on a site to manipulate any files in the WordPress installation."
Jetpack 12.1.1, the security patch currently automatically rolling out to all WordPress websites using the plug-in, started rolling out today and has already been installed on more than 4,130,000 sites using every version of Jetpack since 2.0.
This means that most vulnerable websites have already been automatically updated to the latest secure version, and the rest will soon be patched too.
Herve also cautioned website admins that, while there are no signs that the bug has been abused in attacks, they should ensure that their sites are secured since attackers will most likely pick up on the flaw's details and create exploits targeting unpatched WordPress websites.
"We have no evidence that this vulnerability has been exploited in the wild. However, now that the update has been released, it is possible that someone will try to take advantage of this vulnerability," Herve said.
"Please update your version of Jetpack as soon as possible to ensure the security of your site. To help you in this process, we have worked closely with the WordPress.org Security Team to release patched versions of every version of Jetpack since 2.0. Most websites have been or will soon be automatically updated to a secured version."
This is not the first time WordPress has used automated deployment of security updates to patch critical issues in plug-ins or WordPress installations.
For instance, WordPress developer Samuel Wood said in October 2020 that the organization had used this approach to push "security releases for plug-ins many times" since WordPress 3.7 was released.
Update: Revised story to clarify that Automattic is the company behind the freemium blogging service WordPress.com.
Comments
fromFirefoxToVivaldi - 1 year ago
I wish they would do this with every plugin which had high impact vulnerabilities.