Millions of WordPress sites just got a major security upgrade

News
By published

Forced update fixed an urgent flaw in WordPress Jetpack plugin

WordPress logo
(Image credit: Pixabay)

The developers of Jetpack, a hugely popular WordPress plugin, have force-installed an urgent update to fix a flaw that threatened the security of more than five million websites. 

As reported by Bleeping Computer, a user that goes by the alias nguyenhg_vcs, discovered a security bug in how Jetpack handles comments for different images. Once identified, Automattic (the company that built and manages both WordPress, one of the world’s most popular content management systems and Jetpack, a plugin that offers many benefits, from additional security, improved performance, to various management features) prepared a security update and, due to the severity of the threat, decided to push it onto everyone.

So far, approximately five million websites have been updated, with the downloads statistics page showing almost all affected sites secured. We don’t know the details on what the bug actually allows hackers to do, but we do know that Automattic fixed it by adding further authorization logic.

Versions almost a decade old were affected, it was added, as the patch addresses the issue starting with Jetpack 2.0.

No evidence of exploits

Automattic says there is no evidence of the flaw being used in the wild, but now that it’s out in the open, it might very well start being used. 

“Now that the update has been released, it is only a matter of time before someone tries to take advantage of this vulnerability," the developers said.

"To help you in this process, we worked with the WordPress.org Security Team to release patched versions of every version of Jetpack since 2.0," Automattic said. "Most websites have been or will soon be automatically updated to a secured version."

Forced updates aren’t something webmasters are particularly fond of, and are often vocal about the problems they cause to the site layout and its performance. Addressing the issue on Twitter years ago, WordPress lead developer Andrew Nacin said the company only did it a handful of times.

In 2019, Bleeping Computer reminds, the developers pushed a critical security update to Jetpack users, fixing a bug in how it processed embed code.

Via: Bleeping Computer

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
Another serious WordPress plugin vulnerability could put 40,000 sites at risk of attack
Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
Top WordPress plugins found to have some serious security flaws, so make sure you're protected
Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
This top WordPress plugin could be hiding a worrying security flaw, so be on your guard
Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
Thousands of WordPress websites hit in new malware attack, here's what we know
Wordpress brand logo on computer screen. Man typing on the keyboard.
Thousands of WordPress sites targeted with malicious plugin backdoor attacks
WordPress
Another top WordPress plugin found carrying critical security flaws
Latest in Website Building
Wix automation
The world's leading website builder aims to save businesses time with new tool
Squarespace
Build a website for less with 10% off Squarespace subscriptions
Squarespace
Fresh season, fresh start— launch your dream website with Squarespace with this offer
Wix Printful
Wix teams up with Printful for in-house print-on-demand tools
Squarespace
Don't miss out on this great Squarespace deal
Hostinger Website Builder vs WordPress.com: Which is better?
Hostinger Website Builder vs WordPress.com: Battle of the WordPress website builders
Latest in News
Ray-Ban Meta Smart Glasses
Samsung's rumored smart specs may be launching before the end of 2025
Apple iPhone 16 Review
The latest iPhone 18 leak hints at a major chipset upgrade for all four models
Quordle on a smartphone held in a hand
Quordle hints and answers for Monday, March 24 (game #1155)
NYT Strands homescreen on a mobile phone screen, on a light blue background
NYT Strands hints and answers for Monday, March 24 (game #386)
NYT Connections homescreen on a phone, on a purple background
NYT Connections hints and answers for Monday, March 24 (game #652)
Quordle on a smartphone held in a hand
Quordle hints and answers for Sunday, March 23 (game #1154)
More about website building
Squarespace

Fresh season, fresh start— launch your dream website with Squarespace with this offer
Wix automation

The world's leading website builder aims to save businesses time with new tool
Tadej Pogačar celebrates crossing the line first in the 2024 Volta Ciclista a Catalunya

Volta Ciclista a Catalunya live stream 2025: how to watch the World Tour stage race
See more latest
Most Popular
Ray-Ban Meta Smart Glasses
Samsung's rumored smart specs may be launching before the end of 2025
Quordle on a smartphone held in a hand
Quordle hints and answers for Monday, March 24 (game #1155)
NYT Connections homescreen on a phone, on a purple background
NYT Connections hints and answers for Monday, March 24 (game #652)
NYT Strands homescreen on a mobile phone screen, on a light blue background
NYT Strands hints and answers for Monday, March 24 (game #386)
Apple iPhone 16 Review
The latest iPhone 18 leak hints at a major chipset upgrade for all four models
Micron SOCAMM memory module
World's biggest RAM vendors develop superior memory form factor exclusively for Nvidia, sorry Intel and AMD
Asus Vivobook 18
The Asus Vivobook 18 is the only affordable 18-inch laptop right now, and it comes with a powerful CPU no other laptop has
Peter Claffey as Ser Duncan the Tall in The Knight Of The Seven Kingdoms
A Knight Of The Seven Kingdoms: The Hedge Knight – everything we know so far about HBO's Game of Thrones prequel
Vinpower iXFlash and iXFlash Cube
This tiny 2TB USB Flash drive can both charge and backup your iPhone at the same time
Compal Adapt X modular laptop
One of the largest laptop manufacturers releases concept pictures of Adapt X, a modular laptop in the same vein as Framework