The development team behind the popular Jetpack plugin has released a new version 10.5 that fixes a vulnerability found in previous versions of the plugin. We recommend that all Jetpack users upgrade immediately.
Jetpack is one of the most popular plugins for WordPress. It includes a large number of modules, from creating galleries and posting to social networks, to protecting against password brute force and counting attendance.
According to the WordPress.org directory, Jetpack has nearly 25 million downloads and is active on over 1 million WordPress sites. This statistic does not include all sites in the large WordPress.com network where Jetpack is active by default. In other words, this vulnerability affects several million WordPress sites, where Jetpack is active by default. In other words, this vulnerability affects several million WordPress sites.
For this incident, the WordPress project security team decided to take advantage of the automatic updates mechanism in the core of WordPress, and use it to update Jetpack to the latest version (within the installed branch) on all sites with such support. So did a number of hosting providers.
If your site supports automatic updates, then the Jetpack plugin may have already been updated on your site, however, we recommend checking this and updating the plugin manually if necessary. You can download the archive of the latest version of Jetpack from the WordPress directory.