Critical Vulnerability Patched In Jetpack WordPress Plugin

Heads up, WordPress admins! It’s time to update your websites with the latest Jetpack release as the plugin addressed a critical vulnerability, exposing site data. While no active exploitation attempts have been detected, the developers urge users to rush patching their sites out of caution.

Jetpack Vulnerability Exposed Forms Submitted On A WordPress Website

According to a recent advisory from the Jetpack plugin’s team, a serious security flaw existed for several years. Exploiting the flaw could let an authenticated adversary access internal site data.

Specifically, the vulnerability existed in the plugin’s “Contact Form” feature. An authenticated, logged-in attacker could exploit the flaw to access forms submitted on the site by other users. This could potentially lead to a security breach for both the site and the users.

Notably, this vulnerability sneakily existed for several years. According to the plugin’s team, the flaw first appeared with the Contact Forms feature released with version 3.9.9 in 2016. That means the threat persisted for 8 years, potentially risking millions of websites.

Thankfully, the developers confirmed to have detected no active exploitation attempts for the vulnerability. Nonetheless, now that the details have become public, the researchers urge all users to update their sites with the latest Jetpack plugin release. They have listed all versions carrying the fix in their advisory for convenience.

Here is a full list of the 101 different versions of Jetpack we’ve released today:
13.9.1, 13.8.2, 13.7.1, 13.6.1, 13.5.1, 13.4.4, 13.3.2, 13.2.3, 13.1.4, 13.0.1, 12.9.4, 12.8.2, 12.7.2, 12.6.3, 12.5.1, 12.4.1, 12.3.1, 12.2.2, 12.1.2, 12.0.2, 11.9.3, 11.8.6, 11.7.3, 11.6.2, 11.5.3, 11.4.2, 11.3.4, 11.2.2, 11.1.4, 11.0.2, 10.9.3, 10.8.2, 10.7.2, 10.6.2, 10.5.3, 10.4.2, 10.3.2, 10.2.3, 10.1.2, 10.0.2, 9.9.3, 9.8.3, 9.7.3, 9.6.4, 9.5.5, 9.4.4, 9.3.5, 9.2.4, 9.1.3, 9.0.5, 8.9.4, 8.8.5, 8.7.4, 8.6.4, 8.5.3, 8.4.5, 8.3.3, 8.2.6, 8.1.4, 8.0.3, 7.9.4, 7.8.4, 7.7.6, 7.6.4, 7.5.7, 7.4.5, 7.3.5, 7.2.5, 7.1.5, 7.0.5, 6.9.4, 6.8.5, 6.7.4, 6.6.5, 6.5.4, 6.4.6, 6.3.7, 6.2.5, 6.1.5, 6.0.4, 5.9.4, 5.8.4, 5.7.5, 5.6.5, 5.5.5, 5.4.4, 5.3.4, 5.2.5, 5.1.4, 5.0.3, 4.9.3, 4.8.5, 4.7.4, 4.6.3, 4.5.3, 4.4.5, 4.3.5, 4.2.5, 4.1.4, 4.0.7, 3.9.10.

This isn’t the first time Jetpack has addressed a vulnerability that has persisted for years. In June 2023, the team patched another vulnerability in the plugin that could also allow authenticated attackers with author roles on a site to manipulate WordPress installation files. This vulnerability existed since 2012, and it took roughly 11 years to receive a patch. Thankfully, that time, too, the vulnerability remained unnoticed by the criminals, ultimately drawing Jetpack’s attention during an internal audit.

Let us know your thoughts in the comments.