Critical vulnerability in Jetpack plugin

Jetpack plugin

The development team behind the popular Jetpack plugin has released a new version 10.5 that fixes a vulnerability found in previous versions of the plugin. We recommend that all Jetpack users upgrade immediately.

Jetpack is one of the most popular plugins for WordPress. It includes a large number of modules, from creating galleries and posting to social networks, to protecting against password brute force and counting attendance.

According to the WordPress.org directory, Jetpack has nearly 25 million downloads and is active on over 1 million WordPress sites. This statistic does not include all sites in the large WordPress.com network where Jetpack is active by default. In other words, this vulnerability affects several million WordPress sites, where Jetpack is active by default. In other words, this vulnerability affects several million WordPress sites.

The XSS vulnerability found allows an attacker to inject arbitrary JavaScript code into WordPress posts and comments, which can read the cookies of logged-in users, and ultimately gain access to the WordPress administration panel.

Also see: Free Image Compression Plugins for WordPress

For this incident, the WordPress project security team decided to take advantage of the automatic updates mechanism in the core of WordPress, and use it to update Jetpack to the latest version (within the installed branch) on all sites with such support. So did a number of hosting providers.

If your site supports automatic updates, then the Jetpack plugin may have already been updated on your site, however, we recommend checking this and updating the plugin manually if necessary. You can download the archive of the latest version of Jetpack from the WordPress directory.

Leave a comment

Your email address will not be published.