Automattic, the corporate behind the open-source WordPress content material administration system, has began pressure putting in a safety patch on tens of millions of internet sites at present to handle a crucial vulnerability within the Jetpack WordPress plug-in.
Jetpack is an immensely standard plug-in that gives free safety, efficiency, and web site administration enhancements, together with web site backups, brute-force assault safety, safe logins, malware scanning, and extra.
According to the official WordPress plug-in repository, the plug-in is maintained by Automattic, and it now has over 5 million lively installations.
“During an inside safety audit, we discovered a vulnerability with the API obtainable in Jetpack since model 2.0, launched in 2012,” Auttomatic Developer Relations Engineer Jeremy Herve mentioned.
“This vulnerability could possibly be utilized by authors on a web site to govern any recordsdata within the WordPress set up.”
Jetpack 12.1.1, the safety patch at present robotically rolling out to all WordPress web sites utilizing the plug-in, began rolling out at present and has already been put in on greater than 4,130,000 websites utilizing each model of Jetpack since 2.0.
This signifies that most weak web sites have already been robotically up to date to the most recent safe model, and the remaining will quickly be patched too.
Herve additionally cautioned web site admins that, whereas there are not any indicators that the bug has been abused in assaults, they need to make sure that their websites are secured since attackers will almost certainly decide up on the flaw’s particulars and create exploits concentrating on unpatched WordPress web sites.
“We don’t have any proof that this vulnerability has been exploited within the wild. However, now that the replace has been launched, it’s potential that somebody will attempt to benefit from this vulnerability,” Herve mentioned.
“Please replace your model of Jetpack as quickly as potential to make sure the safety of your web site. To assist you to on this course of, we’ve labored intently with the WordPress.org Security Team to launch patched variations of each model of Jetpack since 2.0. Most web sites have been or will quickly be robotically up to date to a secured model.”
This shouldn’t be the primary time Automattic has used automated deployment of safety updates to patch crucial points in WordPress plug-ins or installations.
For occasion, WordPress developer Samuel Wood mentioned in October 2020 that Automattic has used this strategy to push “safety releases for plug-ins many occasions” since WordPress 3.7 was launched.