WordPress force installs update on 5 million sites following security worry

News
By Sead Fadilpašić
published

A super popular WordPress plugin was carrying a major security flaw

WordPress logo
(Image credit: WordPress)

WordPress recently force-installed a patch on more than five million websites in an attempt at keeping them safe from a newly discovered, high-severity flaw.

The flaw was found in Jetpack, one of the most popular plugins for the famed website builder, which offers additional security, performance, and website management capabilities. 

According to WordPress parent company Automattic, the plugin has more than five million active installations, with admins use it to back their sites up, to protect against brute-force attacks, to scan for malware attacks, and more. 

Most sites secured

"During an internal security audit, we found a vulnerability with the API available in Jetpack since version 2.0, released in 2012," Auttomatic Developer Relations Engineer Jeremy Herve said. "This vulnerability could be used by authors on a site to manipulate any files in the WordPress installation."

As of May 30, Jetpack 12.1.1 was downloaded and installed on more than 4,350,000 websites, according to official WordPress data. That makes up roughly 45% of the entire WordPress ecosystem, meaning roughly 55% is left unprotected. To avoid confusion, this includes both active and inactive installations. The majority of active websites have been patched, it would seem. 

There is no evidence of the flaw being abused in the wild, Herve said, further stating that this will now probably change once the vulnerability gets public exposure. 

Read more

> WordPress plugin exposes half a million sites to attack

> How to build a website for free: A guide to creating a site on a budget

> Check out the best website design services out there

"We have no evidence that this vulnerability has been exploited in the wild. However, now that the update has been released, it is possible that someone will try to take advantage of this vulnerability," he added. 

"Please update your version of Jetpack as soon as possible to ensure the security of your site. To help you in this process, we have worked closely with the WordPress.org Security Team to release patched versions of every version of Jetpack since 2.0. Most websites have been or will soon be automatically updated to a secured version."

The last time WordPress force-installed a major update was almost a year ago, in June 2022, when it addressed a high-severity flaw in Ninja Forms. The plugin, which boasted more than a million installations at the time, allowed potential threat actors to completely take over a vulnerable website. 

Unlike the Jetpack vulnerability, Ninja Forms’ flaw was being abused in the wild, researchers were saying at the time. Users were urged to make sure their plugin was updated to version 3.6.11, in case the automatic update fails for whatever reason.

Via: BleepingComputer

Sead Fadilpašić
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.