Critical Security Update for Jetpack Plugin Affecting 27 Million Sites

• The Jetpack WordPress plugin released a fix for a critical security flaw in its Contact Form feature.
• Approximately 27 million websites are affected by this vulnerability, which allows authenticated users to access forms.
• A new version of Jetpack, 13.9.1, was recently released with a critical security update.

The popular Jetpack WordPress plugin, developed by Automattic, has released a critical update addressing a significant security vulnerability impacting approximately 27 million websites, which was present since version 3.9.9 (released in 2016). 

Identified during an internal security audit, this vulnerability allows logged-in users to access forms submitted on sites utilizing the plugin, posing considerable privacy risks. Jetpack is a comprehensive plugin aimed at enhancing website performance, security, and traffic growth. 

In a recent announcement, Jetpack stated, “Earlier today we released a new version of Jetpack, 13.9.1. This release contains a critical security update. While we have no evidence that this vulnerability has been exploited yet, please update your version of Jetpack as soon as possible to ensure the security of your site.”

Particularly concerning the Contact Form feature, this vulnerability enables logged-in users to read forms submitted by other site visitors. In response, the Jetpack security team collaborated closely with the WordPress.org Security Team to patch all versions since 3.9.9, aiming to minimize risks and bolster the plugin’s security framework.

To facilitate a smooth transition, most sites using Jetpack have been or will soon be automatically updated to a secure version. The update includes a detailed list of 101 versions, ranging from 13.9.1 to 3.9.10. If a website operates on any of these versions, it is now secure against this particular vulnerability.

Jetpack also emphasized, “We apologize for any extra workload this may put on your shoulders today. We will continue to regularly audit all aspects of our codebase to ensure that your Jetpack site remains safe.” This statement underscores their commitment to ongoing vigilance, reassuring users that this vulnerability is being taken seriously. 

While Jetpack maintains that there is currently no evidence of exploitation, the nature of security vulnerabilities means potential threats can emerge swiftly post-update. Users are strongly urged to ensure their sites run the latest version of the plugin to maintain security.

In August, a flaw in the GiveWP WordPress donation plugin permitted unauthenticated PHP Object Injection, exposing 100,000 websites to remote code execution attacks.