Millions of Sites Exposed by Flaw in Jetpack WordPress Plugin
WordPress website admins and owners are encouraged to immediately apply the Jetpack 7.9.1 critical security update. Vulnerabilities in Jetpack that could leave websites subject to attack have existed since Jetpack 5.1. Jetpack is a popular WordPress plugin that features security, performance and site management services including malware scanning and brute-force attack prevention. The plugin is currently utilized by 5 million websites and was developed by Automattic, the company that runs WordPress itself.
The vulnerability lies in the way Jetpack processed embed code. Jetpack announced that the bug impacts versions after 5.1 and may have been around since July of 2017. Jetpack developers state that no evidence of the bug was discovered until the release of the latest security update, 7.9.1. Of the 5 million users, 4 million have already updated Jetpack, effectively patching the bug.