The software company behind popular blogging platform WordPress automatically updated over 5 million installed Jetpack plugins after a critical vulnerability was discovered in the plugin.
Automattic, which also counts Jetpack as one of its subsidiaries, launched an update yesterday to bring its users up to date with the new version 12.1.1.
“During an internal security audit, we discovered a vulnerability in an API available in Jetpack since version 2.0 released in 2012,” explained Jeremy Herve, Developer Relations Engineer at Automattic. “A site author could use this vulnerability to manipulate files within a WordPress installation.”
Herve argued that there was no evidence of this vulnerability being exploited in the wild.
“However, now that the update has been released, it is possible that someone will attempt to exploit this vulnerability,” he warned.
“To assist in this process, we have been working closely with the WordPress.org security team to release patched versions of all versions of Jetpack since 2.0. It has been automatically updated to a safe version or will be automatically updated soon.”
Herve listed 102 new versions of Jetpack released yesterday to fix bugs.
Read more about WordPress threats: High-severity WordPress plugin bugs reach 3 million
Jetpack is designed to provide users with a variety of security features, including automatic backups and one-click restore, web application firewall, malware scanning, brute force attack protection, and more. They come with features to optimize and customize your site and gain visibility into its performance.
These features have earned Jetpack millions of downloads worldwide.
Although rather unusual, there have been automatic updates issued by Automattic in the past to fix security issues.
For example, in June 2022, we force-installed an update to the popular Ninja Forms plugin after discovering over a million sites were actively exploiting a new vulnerability.
WordPress and its plugins remain a prime target for threat actors.
Security firm Wordfence claimed in 2020 that attackers used automated tools to search for sites still running outdated versions of file manager plugins containing zero-day bugs.
Editorial image credit: Postmodern Studio / Shutterstock.com
