Automattic, the company behind the open-source WordPress content management system, has started force installing a security patch on millions of websites today to address a critical vulnerability in the Jetpack WordPress plug-in.
Jetpack is an immensely popular plug-in that provides free security, performance, and website management improvements, including site backups, brute-force attack protection, secure logins, malware scanning, and more.
According to the official WordPress plug-in repository, the plug-in is maintained by Automattic, and it now has over 5 million active installations.
“During an internal security audit, we found a vulnerability with the API available in Jetpack since version 2.0, released in 2012,” Auttomatic Developer Relations Engineer Jeremy Herve said.
“This vulnerability could be used by authors on a site to manipulate any files in the WordPress installation.”
Jetpack 12.1.1, the security patch currently automatically rolling out to all WordPress websites using the plug-in, started rolling out today and has already been installed on more than 4,130,000 sites using every version of Jetpack since 2.0.
This means that most vulnerable websites have already been automatically updated to the latest secure version, and the rest will soon be patched too.
Herve also cautioned website admins that, while there are no signs that the bug has been abused in attacks, they should ensure that their sites are secured since attackers will most likely pick up on the flaw’s details and create exploits targeting unpatched WordPress websites.
“We have no evidence that this vulnerability has been exploited in the wild. However, now that the update has been released, it is possible that someone will try to take advantage of this vulnerability,” Herve said.
“Please update your version of Jetpack as soon as possible to ensure the security of your site. To help you in this process, we have worked closely with the WordPress.org Security Team to release patched versions of every version of Jetpack since 2.0. Most websites have been or will soon be automatically updated to a secured version.”
This is not the first time Automattic has used automated deployment of security updates to patch critical issues in WordPress plug-ins or installations.
For instance, WordPress developer Samuel Wood said in October 2020 that Automattic has used this approach to push “security releases for plug-ins many times” since WordPress 3.7 was released.