WordPress has issued an automatic update to address a critical flaw in its Jetpack plugin installed on over 5 million sites.
This vulnerability was discovered during an internal security audit and exists in an API present in the plugin since version 2.0 released in November 2012.
“This vulnerability could be exploited by site authors to manipulate files within WordPress installations,” Jetpack said in its advisory. A new version of Jetpack 102 was released to fix this bug.
While there is no evidence that this issue has been exploited, it’s not uncommon for flaws in popular WordPress plugins to be exploited by attackers looking to take over sites for malicious purposes.
This isn’t the first time WordPress has been forced to install a patch due to a critical security vulnerability in Jetpack.
In November 2019, Jetpack released version 7.9.1 that fixes a flaw in how the plugin handles embedded code that has existed since July 2017 (version 5.1).
This development came at the same time Patchstack revealed a security flaw in their premium Gravity Forms plugin that could allow unauthenticated users to inject arbitrary PHP code.
This issue (CVE-2023-28782) affects all versions below 2.7.3. This issue has been resolved in version 2.7.4, available on April 11, 2023.
