"During an internal security audit, we found a bug that allows an attacker to bypass a site’s access controls and publish posts. This vulnerability could be combined with other attacks to escalate access," George Stephanis, WordPress core contributor and leader of the Jetpack team shared last week, adding that the vulnerability was introduced with Jetpack 1.9, which was released in October 2012.
"Fortunately, we have no evidence of this being used in the wild. However, now that this update is public, it’s just a matter of time before exploits occur. To avoid a breach, you should update your site as soon as possible," he warned.
The team is also been sending out the warning via emails to users. They are taking this very seriously: the WordPress security team was asked to push updates to every version of the plugin since 1.9 through core’s auto-update system, and the Jetpack team has asked hosts and network providers for help and force upgrades on the users they host.
Users who fail to update the plugin on their site run the danger of being disconnected from the Jetpack service until they move to fix the problem.
The updated versions can be downloaded directly from the plugin's official site, or one can use the plugin's dashboard to update it (go to Plugins > Installed Plugins > Jetpack).
"Finding and fixing bugs is a key part of software development," Stephanis noted at the end. "I can’t promise there will never be another issue like this, but I can promise that when a problem is found we will do everything in our power to protect as many people as possible, as quickly as possible."
He also confirmed that the issue had nothing to do with the Heartbleed bug.
Reading our newsletter every Monday will keep you up-to-date with security news.
Receive a daily digest of the latest security news.