‘Ninja Forms’ Pushed a Very Important Update Affecting 1 Million Sites
Published on September 23, 2021
The popular Jetpack WordPress plugin, developed by Automattic, has released a critical update addressing a significant security vulnerability impacting approximately 27 million websites, which was present since version 3.9.9 (released in 2016).
Identified during an internal security audit, this vulnerability allows logged-in users to access forms submitted on sites utilizing the plugin, posing considerable privacy risks. Jetpack is a comprehensive plugin aimed at enhancing website performance, security, and traffic growth.
In a recent announcement, Jetpack stated, “Earlier today we released a new version of Jetpack, 13.9.1. This release contains a critical security update. While we have no evidence that this vulnerability has been exploited yet, please update your version of Jetpack as soon as possible to ensure the security of your site.”
Particularly concerning the Contact Form feature, this vulnerability enables logged-in users to read forms submitted by other site visitors. In response, the Jetpack security team collaborated closely with the WordPress.org Security Team to patch all versions since 3.9.9, aiming to minimize risks and bolster the plugin’s security framework.
To facilitate a smooth transition, most sites using Jetpack have been or will soon be automatically updated to a secure version. The update includes a detailed list of 101 versions, ranging from 13.9.1 to 3.9.10. If a website operates on any of these versions, it is now secure against this particular vulnerability.
Jetpack also emphasized, “We apologize for any extra workload this may put on your shoulders today. We will continue to regularly audit all aspects of our codebase to ensure that your Jetpack site remains safe.” This statement underscores their commitment to ongoing vigilance, reassuring users that this vulnerability is being taken seriously.
While Jetpack maintains that there is currently no evidence of exploitation, the nature of security vulnerabilities means potential threats can emerge swiftly post-update. Users are strongly urged to ensure their sites run the latest version of the plugin to maintain security.
In August, a flaw in the GiveWP WordPress donation plugin permitted unauthenticated PHP Object Injection, exposing 100,000 websites to remote code execution attacks.