WordPress Extension Jetpack Fixes Critical Weakness Affecting 27 Million Websites
An essential protection update for the Jetpack WordPress extension has been released by its maintainers to address a major flaw that could enable authenticated users to access forms submitted by other users on a website.
Jetpack, which is run by Automattic – the company behind WordPress, serves as a complete plugin that provides a wide range of utilities to enhance website security, performance, and traffic growth. It is utilized on 27 million WordPress websites, as per the official website’s statistics.
The vulnerability was uncovered by Jetpack during an internal security review and has persisted since the launch of version 3.9.9 back in 2016.
The weakness is present in Jetpack’s Contact Form feature, allowing any authenticated user on a website to view and access forms submitted by visitors to the site, as confirmed by Jeremy Herve from Jetpack in a recent announcement.
Collaborating closely with the WordPress.org Security Team, Jetpack has ensured that the plugin automatically updates to a secure version on all active installations.
The flaw has been rectified in 101 distinct versions of Jetpack, such as –
13.9.1, 13.8.2, 13.7.1, 13.6.1, 13.5.1, 13.4.4, 13.3.2, 13.2.3, 13.1.4, 13.0.1, 12.9.4, 12.8.2, 12.7.2, 12.6.3, 12.5.1, 12.4.1, 12.3.1, 12.2.2, 12.1.2, 12.0.2, 11.9.3, 11.8.6, 11.7.3, 11.6.2, 11.5.3, 11.4.2, 11.3.4, 11.2.2, 11.1.4, 11.0.2, 10.9.3, 10.8.2, 10.7.2, 10.6.2, 10.5.3, 10.4.2, 10.3.2, 10.2.3, 10.1.2, 10.0.2, 9.9.3, 9.8.3, 9.7.3, 9.6.4, 9.5.5, 9.4.4, 9.3.5, 9.2.4, 9.1.3, 9.0.5, 8.9.4, 8.8.5, 8.7.4, 8.6.4, 8.5.3, 8.4.5, 8.3.3, 8.2.6, 8.1.4, 8.0.3, 7.9.4, 7.8.4, 7.7.6, 7.6.4, 7.5.7, 7.4.5, 7.3.5, 7.2.5, 7.1.5, 7.0.5, 6.9.4, 6.8.5, 6.7.4, 6.6.5, 6.5.4, 6.4.6, 6.3.7, 6.2.5, 6.1.5, 6.0.4, 5.9.4, 5.8.4, 5.7.5, 5.6.5, 5.5.5, 5.4.4, 5.3.4, 5.2.5, 5.1.4, 5.0.3, 4.9.3, 4.8.5, 4.7.4, 4.6.3, 4.5.3, 4.4.5, 4.3.5, 4.2.5, 4.1.4, 4.0.7, 3.9.10
Although no evidence of the vulnerability being exploited maliciously exists, there is a possibility of such abuse in the future following its public disclosure.
It is noteworthy that Jetpack previously issued similar patches for a different critical issue in the Jetpack extension in June 2023, which had been present since November 2012.
This incident occurs amid an ongoing controversy between WordPress creator Matt Mullenweg and hosting provider WP Engine, leading to WordPress.org taking over WP Engine’s Advanced Custom Fields (ACF) plugin to create a new version called Secure Custom Fields.
“SCF has been updated to eliminate commercial upsells and resolve a security issue,” Mullenweg stated. “This update is minimal to solely address the security concern.”
WordPress did not disclose the exact nature of the security issue but mentioned that it is related to $_REQUEST. Additionally, the problem has been fixed in version 6.3.6.2 of Secure Custom Fields.
“Their code currently lacks security, and recommending avoiding Secure Custom Fields until they fix the vulnerability is a failure on their part toward customers,” noted WordPress in a statement. “We have reached out to them privately about this but received no response.”
WP Engine, responding in a post on X, contended that WordPress had not previously “unilaterally and forcibly” taken a plugin that was in active development “without the creator’s consent.”
In return, WordPress highlighted that such actions had occurred multiple times in the past and stated that it retains the authority to disable or remove a plugin from the directory, revoke developer access, or modify it “without developer consent” in order to protect public safety.
About Author
