Automattic developers and the WordPress security team have deployed a forced security update to millions of sites to fix a critical vulnerability in the Jetpack plugin. With nearly 5 million installations, Jetpack provides users with free security, performance, and site management features, including brute-force protection, backup, secure login, and malware scanning. The plugin is created and maintained by Automattic itself.
During an internal security audit, Automattic identified a vulnerability in the API available in Jetpack since version 2.0, released in 2012. This vulnerability could be exploited by authors on the site to manipulate any files in WordPress. The patch was included in Jetpack 12.1.1 and this version was automatically distributed to all WordPress sites using the plugin. According to official statistics, the rollout of the update has already been successfully completed, and most sites are now automatically updated to the latest secure version.
Automattic engineers warn that although no signs of exploitation of the vulnerability have been found, attackers may soon learn the details of the problem and create exploits to attack unpatched sites.
