A critical vulnerability was found in the Jetpack WordPress Plugin version Jetpack 5.1. and later. Jetpack is a popular WordPress plugin having more than 5 million active installations that provides a suite of features for security, performance, and site management.
The Jetpack plugin was developed and maintained by Automattic which is the company behind WordPress.
The vulnerability was found in the way Jetpack processed embed code that was present since Jetpack 5.1, released in July 2017. There is no evidence of this vulnerability being exploited in the wild and that it is only a matter of time before attackers try to exploit this flaw.
The flaw was disclosed by researcher Adham Sadaqah. The company posted a blog in their website about the flaw and that update has been released. The researcher and the developers behind the plugin did not reveal details of the issue initially to avoid its exploitation by threat actors and to protect the sites that were not yet updated.
The development team worked with the WordPress.org Security Team to release patched versions of every version of Jetpack since 5.1. Most websites have been or will soon be automatically updated.
As of now, four out of 5 million WordPress installs run updated versions of the plugin. All the admins and owners of WordPress websites are highly recommended to update their installs to Jetpack version 7.9.1.
The users can update the installation to the 7.9.1 version using the dashboard, or by manually downloading it.