The renowned company, Automattic, managing the highly-used WordPress CMS, has initiated a forced security patch installation to address a severe vulnerability in the much-loved Jetpack WordPress plug-in. This move is currently affecting millions of websites globally.
A much-needed security solution
Jetpack, a widely favored plugin, enhances the WordPress experience with free security, performance, and site management tools. It offers features such as site backups, protection from brute-force attacks, secure logins, malware scanning, among other benefits.
Data from the official WordPress plugin repository highlights that Automattic maintains the plug-in, which boasts over 5 million active installations currently.
During an internal security audit, Automattic’s Developer Relations Engineer, Jeremy Herve, shared that they discovered a vulnerability within the Jetpack’s API that has been present since version 2.0, launched in 2012. This vulnerability could potentially allow site authors to manipulate any files within the WordPress installation.
Swift action for greater security
Automattic has swiftly responded by rolling out the security patch Jetpack 12.1.1 to all WordPress sites using the plugin. The rollout began today, and it has already reached more than 4,130,000 sites using any Jetpack version since 2.0.
While most vulnerable sites have been auto-updated to the latest secured version, the rest are anticipated to receive the patch soon.
Herve cautions site administrators to ensure their websites’ security, as attackers might exploit the flaw to target unpatched WordPress sites. He stressed that, despite no evidence of the bug being exploited so far, the risk remains and updating to the latest Jetpack version is critical for site security.
Automattic’s history of proactive security measures
This isn’t the first instance of Automattic proactively deploying security updates to mitigate critical issues in WordPress plugins or installations. In fact, WordPress developer Samuel Wood confirmed in October 2020 that this method had been employed numerous times since the release of WordPress 3.7.
We are keen to know what our valued readers think about this development. How do you perceive this forceful patch installation? Do share your thoughts and opinions in the comments section below!