less than 1 minute read

As we've said before, lots of our users run WordPress on their websites and its popularity makes it a big target. So when a new vulnerability is discovered, acting quickly is prudent.

Jetpack

Jetpack is an extremely popular plugin to provide self-hosted blogs with all of the additional functionality that WordPress provide to sites hosted with their own hosted platform at WordPress.com.

Very recently, a serious security flaw in Jetpack was discovered. It has the potential to allow an attacker to complete actions on a blog without having to log in, such as posting. The WordPress team has written about the the problem here.

This problem was assigned the CVE number CVE-2014-0173 and is fixed in Jetpack 2.9.3 released today. Everyone using Jetpack on their WordPress site should update immediately.

Upgrade process

All CloudFlare customers who use WordPress are automatically protected against this bug. We rolled out a Web Application Firewall (WAF) rule that is automatically enabled for all customers (free or paid) to protect against this problem.

Jetpack 2.9.3

Customers using Jetpack should still upgrade immediately, but the WAF rule gives a little breathing space.