Jetpack, the popular WordPress plugin suite, has released a critical security update today, urging users to update their sites immediately to avoid potential exploitation. The latest version, 13.9.1, addresses a vulnerability in the plugin’s Contact Form feature that could allow any logged-in user to access form submissions from website visitors.
This vulnerability has existed since version 3.9.9, first introduced in 2016. The Jetpack developers have confirmed that there is no evidence of this flaw being exploited in the wild and affecting the 27 million websites using the plugin. However, they stress the importance of updating to safeguard user sites.
To mitigate the risk, Jetpack has worked closely with the WordPress.org Plugins Team to ensure that all versions of Jetpack dating back to 3.9.9 have been patched. Jetpack has released 101 versions, ensuring that even older plugin versions are secured.
Here’s a full list of different versions released by Jetpack:
13.9.1, 13.8.2, 13.7.1, 13.6.1, 13.5.1, 13.4.4, 13.3.2, 13.2.3, 13.1.4, 13.0.1, 12.9.4, 12.8.2, 12.7.2, 12.6.3, 12.5.1, 12.4.1, 12.3.1, 12.2.2, 12.1.2, 12.0.2, 11.9.3, 11.8.6, 11.7.3, 11.6.2, 11.5.3, 11.4.2, 11.3.4, 11.2.2, 11.1.4, 11.0.2, 10.9.3, 10.8.2, 10.7.2, 10.6.2, 10.5.3, 10.4.2, 10.3.2, 10.2.3, 10.1.2, 10.0.2, 9.9.3, 9.8.3, 9.7.3, 9.6.4, 9.5.5, 9.4.4, 9.3.5, 9.2.4, 9.1.3, 9.0.5, 8.9.4, 8.8.5, 8.7.4, 8.6.4, 8.5.3, 8.4.5, 8.3.3, 8.2.6, 8.1.4, 8.0.3, 7.9.4, 7.8.4, 7.7.6, 7.6.4, 7.5.7, 7.4.5, 7.3.5, 7.2.5, 7.1.5, 7.0.5, 6.9.4, 6.8.5, 6.7.4, 6.6.5, 6.5.4, 6.4.6, 6.3.7, 6.2.5, 6.1.5, 6.0.4, 5.9.4, 5.8.4, 5.7.5, 5.6.5, 5.5.5, 5.4.4, 5.3.4, 5.2.5, 5.1.4, 5.0.3, 4.9.3, 4.8.5, 4.7.4, 4.6.3, 4.5.3, 4.4.5, 4.3.5, 4.2.5, 4.1.4, 4.0.7, 3.9.10.
“If your site is running any of these versions, your website is not vulnerable to this issue anymore, it has been automatically updated to a secure version,” assured Jetpack.
Most Jetpack websites have either been automatically updated or will soon receive the patched version. For users whose sites have not been automatically updated, Jetpack recommends performing a manual update to prevent any potential security breaches.
Though there has been no confirmation of exploitation, Jetpack acknowledged that now that the update is public, there is a heightened risk of bad actors attempting to leverage the vulnerability.
This news comes amid tensions in the WordPress community as the fight between Automattic and WP Engine continues. The fight started with the ownership of the WordPress trademark, and recently, Automattic has forked the widely used Advanced Custom Field (ACF) and created a new plugin, Secure Custom Fields (SCF), further increasing the tensions.
A few months ago, the JS Help Desk WordPress plugin suffered an RCE flaw affecting 5,000 websites.
On July 1, four WordPress plugins — WP Server Health, Ad Invalid Click Protector, PowerPress Podcasting plunging by Blubrry, and SEO Optimised Images — were hit by a supply chain attack. Last month, an Arbitrary Options Update Flaw was reported to have affected over 40,000 Login/Signup Popup plugin installations.
In the News: Central Tickets confirms data breach, user information compromised
