Jetpack, a popular WordPress plugin, has released a critical security update. Version 13.9.1 was launched earlier today to address a vulnerability that could potentially expose sensitive visitor information.
The flaw, identified during an internal security audit, affects the Contact Form feature in all Jetpack versions since 3.9.9, released in 2016.
Vulnerability Details and Potential Risks
The vulnerability allows logged-in users to access forms visitors submit, posing a significant privacy risk.
Although there is no evidence that this flaw has been exploited, the update’s release raises concerns that malicious actors might attempt to exploit it now that the issue is public.
Analyse Any Suspicious Links Using ANY.RUN’s New Safe Browsing Tool: Try for Free
Jetpack’s development team has worked closely with the WordPress.org Security Team to ensure that patched versions are available for every affected release since 3.9.9.
This collaboration underscores the urgency and importance of swiftly addressing the flaw to protect the integrity of sites using the plugin.
Automatic Updates and User Action Required
Most Jetpack websites have been or will soon be automatically updated to a secure version, mitigating immediate risks for many users.
However, site administrators are strongly advised to verify their current Jetpack version and ensure it is updated to one of the secure versions listed.
A comprehensive list of 101 patched versions has been released, including versions from 13.9.1 down to 3.9.10. If your site runs any of these versions, it is no longer vulnerable to this issue.
Jetpack’s team regrets any inconvenience caused by this update but emphasizes its commitment to maintaining robust security standards.
“We apologize for any extra workload this may put on your shoulders today,” a spokesperson said. We will continue to regularly audit all aspects of our codebase to ensure that your Jetpack site remains safe.”
How to Choose an ultimate Managed SIEM solution for Your Security Team -> Download Free Guide(PDF)