The Jetpack team just released a critical security update to fix a security vulnerability in the Jetpack WordPress plugin. The vulnerability allows an attacker to bypass the site’s access control and publish posts on the site. All versions of JetPack since October, 2012 (Jetpack 1.9) are vulnerable, and all users should update to version 2.9.3 ASAP.
Jetpack is a very popular plugin for WordPress with almost 10 million downloads, so the impact of such vulnerability can be very big if users do not update.
From the JetPack announcement:
Jetpack version 2.9.3 contains a critical security update, and you should update your site and any you help manage as soon as possible. You can update through your dashboard, or download Jetpack manually here.
Fortunately, we have no evidence of this being used in the wild. However, now that this update is public, it’s just a matter of time before exploits occur. To avoid a breach, you should update your site as soon as possible. (The vulnerability has been disclosed on the MITRE Common Vulnerabilities and Exposures system as CVE-2014-0173.)
This is a bad bug, and Jetpack is one of the most widely used plugins in the WordPress world. We have been working closely with the WordPress security team, which has pushed updates to every version of the plugin since 1.9 through core’s auto-update system.
We also want to commend George Stephanis, and the rest of the Jetpack team for their excellent disclosure handling. Also for passing over the proper detection and protection methods to prevent this vulnerability from being exploited. Because of this, CloudProxy users are already protected against this attack.
Again, if you are using Jetpack, please update it now!