Millions of WordPress sites just got a major security upgrade

Forced update fixed an urgent flaw in WordPress Jetpack plugin

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

The developers of Jetpack, a hugely popularWordPress plugin, have force-installed an urgent update to fix a flaw that threatened the security of more than five million websites.

As reported by Bleeping Computer, a user that goes by the alias nguyenhg_vcs, discovered a security bug in how Jetpack handles comments for different images. Once identified, Automattic (the company that built and manages both WordPress, one of the world’s most popular content management systems and Jetpack, a plugin that offers many benefits, from additional security, improved performance, to various management features) prepared a security update and, due to the severity of the threat, decided to push it onto everyone.

So far, approximately five million websites have been updated, with thedownloads statistics pageshowing almost all affected sites secured. We don’t know the details on what the bug actually allows hackers to do, but we do know that Automattic fixed it by adding further authorization logic.

Versions almost a decade old were affected, it was added, as the patch addresses the issue starting with Jetpack 2.0.

No evidence of exploits

Automattic says there is no evidence of the flaw being used in the wild, but now that it’s out in the open, it might very well start being used.

“Now that the update has been released, it is only a matter of time before someone tries to take advantage of this vulnerability," the developers said.

“To help you in this process, we worked with the WordPress.org Security Team to release patched versions of every version of Jetpack since 2.0,” Automattic said. “Most websites have been or will soon be automatically updated to a secured version.”

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Forced updates aren’t something webmasters are particularly fond of, and are often vocal about the problems they cause to the site layout and its performance. Addressing the issue on Twitter years ago, WordPress lead developer Andrew Nacin said the company only did it a handful of times.

In 2019, Bleeping Computer reminds, the developers pushed a critical security update to Jetpack users, fixing a bug in how it processed embed code.

Via:Bleeping Computer

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Squarespace just launched its biggest update ever. I asked what that means for your business

Shopify just made it easier to access all your financial tools in one place

NYT Strands today — hints, answers and spangram for Sunday, November 10 (game #252)