The developers of the popular WordPress plugin Jetpack have released a critical security update to address a significant vulnerability that could potentially expose sensitive user information. The issue allows logged-in users to access forms submitted by other visitors on a site, posing a serious privacy risk.
Jetpack, developed by Automattic, provides a comprehensive range of tools for site security, performance, and growth. With over 27 million active installations, the plugin is widely used across the WordPress ecosystem. The flaw has been present since version 3.9.9, which was released in 2016, and was identified during an internal security audit.
Contact Form Vulnerability
The vulnerability specifically affects the Contact Form feature of Jetpack. According to Jeremy Herve from Jetpack, “The flaw could be exploited by any logged-in user to view submissions made by site visitors.” To mitigate the issue, Jetpack has worked closely with the WordPress.org Security Team to ensure automatic updates have been pushed to all affected sites.
The vulnerability has been patched in over 100 different versions of Jetpack, including the most recent ones like 13.9.1, as well as older versions dating back to 3.9.10. Despite the absence of reports indicating exploitation in the wild, the public disclosure of this flaw increases the risk of potential abuse in the future.
Previous Vulnerabilities and Plugin Security Concerns
This is not the first time Jetpack has addressed critical vulnerabilities. In June 2023, a similar fix was applied to another security flaw that had existed since 2012. The ongoing effort highlights the importance of regular updates and security audits in widely used plugins.
The update comes amidst a dispute between WordPress founder Matt Mullenweg and WP Engine, a hosting provider, over control of the Advanced Custom Fields (ACF) plugin. WordPress.org recently created a fork called Secure Custom Fields (SCF) to address security concerns and remove commercial upsells.
“SCF has been updated to remove unnecessary features and resolve a security issue,” Mullenweg stated, adding that the update was minimal, focusing on fixing a vulnerability related to the $_REQUEST
variable. The vulnerability was resolved in SCF version 6.3.6.2.
In response to criticism from WP Engine, which argued that WordPress had overstepped by taking control of the ACF plugin, Mullenweg emphasized that WordPress reserves the right to take action when public safety is at risk.
Importance of Timely Security Updates
This latest patch emphasizes the ongoing need for timely updates to maintain website security. Users of Jetpack and other WordPress plugins are encouraged to regularly check for updates and apply them as soon as possible to mitigate potential threats.