A critical vulnerability affects the Jetpack WordPress Plugin version Jetpack 5.1.
The popular plugin was developed and maintained by Automattic, the company behind WordPress.
The good news is that the maintainers of the popular WordPress plugin have no evidence that this vulnerability has been exploited in the wild.
“We found a vulnerability in the way Jetpack processed embed code that has existed since Jetpack 5.1, released in July 2017. Thank you to Adham Sadaqah for disclosing this issue to us in a responsible manner.” reads a blog post published on the Jetpack website.
“We have no evidence that this vulnerability has been exploited in the wild. However, now that the update has been released, it is only a matter of time before someone tries to take advantage of this vulnerability.”
At the time, both
Experts pointed out that it is only a matter of time before attackers try to exploit this flaw.
The development team revealed that it worked with the WordPress.org Security Team to release patched versions of every version of Jetpack since 5.1.
Developers also say that they worked with the WordPress.org Security Team to release patches for every version of Jetpack since 5.1. Most websites have been or will soon be automatically updated.
At the time of writing over four million out of 5 million WordPress installs run updated versions of the plugin.
Versions released today include 5.1.1, 5.2.2, 5.3.1, 5.4.1, 5.5.2, 5.6.2, 5.7.2, 5.8.1, 5.9.1, 6.0.1, 6.1.2, 6.2.2, 6.3.4, 6.4.3, 6.5.1, 6.6.2, 6.7.1, 6.8.2, 6.9.1, 7.0.2, 7.1.2, 7.2.2, 7.3.2, 7.4.2, 7.5.4, 7.6.1, 7.7.3, 7.8.1, 7.9.1.
The latest version 7.9.1 also addressed other minor issues, including improved compatibility with Twenty Twenty, the new default theme for WordPress.
You can update your installation to the 7.9.1 version using the dashboard, or manually downloading the Jetpack 7.9.1 release here.
(SecurityAffairs – WordPress, hacking)