Millions of WordPress sites just got a major security upgrade

WordPress logo
(Image credit: Pixabay)

The developers of Jetpack, a hugely popular WordPress plugin, have force-installed an urgent update to fix a flaw that threatened the security of more than five million websites. 

As reported by Bleeping Computer, a user that goes by the alias nguyenhg_vcs, discovered a security bug in how Jetpack handles comments for different images. Once identified, Automattic (the company that built and manages both WordPress, one of the world’s most popular content management systems and Jetpack, a plugin that offers many benefits, from additional security, improved performance, to various management features) prepared a security update and, due to the severity of the threat, decided to push it onto everyone.

So far, approximately five million websites have been updated, with the downloads statistics page showing almost all affected sites secured. We don’t know the details on what the bug actually allows hackers to do, but we do know that Automattic fixed it by adding further authorization logic.

Versions almost a decade old were affected, it was added, as the patch addresses the issue starting with Jetpack 2.0.

No evidence of exploits

Automattic says there is no evidence of the flaw being used in the wild, but now that it’s out in the open, it might very well start being used. 

“Now that the update has been released, it is only a matter of time before someone tries to take advantage of this vulnerability," the developers said.

"To help you in this process, we worked with the WordPress.org Security Team to release patched versions of every version of Jetpack since 2.0," Automattic said. "Most websites have been or will soon be automatically updated to a secured version."

Forced updates aren’t something webmasters are particularly fond of, and are often vocal about the problems they cause to the site layout and its performance. Addressing the issue on Twitter years ago, WordPress lead developer Andrew Nacin said the company only did it a handful of times.

In 2019, Bleeping Computer reminds, the developers pushed a critical security update to Jetpack users, fixing a bug in how it processed embed code.

Via: Bleeping Computer

TOPICS

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
Another serious WordPress plugin vulnerability could put 40,000 sites at risk of attack
Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
This top WordPress plugin could be hiding a worrying security flaw, so be on your guard
Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
Thousands of WordPress websites hit in new malware attack, here's what we know
Wordpress brand logo on computer screen. Man typing on the keyboard.
Thousands of WordPress sites targeted with malicious plugin backdoor attacks
WordPress
Another top WordPress plugin found carrying critical security flaws
Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
Over a million WordPress sites exposed to attack from W3 Total Cache plugin flaw
Latest in Website Building
Wix automation
The world's leading website builder aims to save businesses time with new tool
Squarespace
Build a website for less with 10% off Squarespace subscriptions
Squarespace
Fresh season, fresh start— launch your dream website with Squarespace with this offer
Wix Printful
Wix teams up with Printful for in-house print-on-demand tools
Squarespace
Don't miss out on this great Squarespace deal
Hostinger Website Builder vs WordPress.com: Which is better?
Hostinger Website Builder vs WordPress.com: Battle of the WordPress website builders
Latest in News
Hisense U8 series TV on wall in living room
Hisense announces 2025 mini-LED TV lineup, with screen sizes up to 100 inches – and a surprising smart TV switch
Nintendo Music teaser art
Nintendo Music expands its library with songs from Kirby and the Forgotten Land and Tetris
An image of Pro-Ject's Flatten it closed and opened
Pro-Ject’s new vinyl flattener will fix any warped LPs you inadvertently buy on Record Store Day
The iPhone 16 Pro on a grey background
iPhone 17 Pro tipped to get 8K video recording – but I want these 3 video features instead
EA Sports F1 25 promotional image featuring drivers Oscar Piastri, Carlos Sainz and Oliver Bearman.
F1 25 has been officially announced, with this year's entry marking a return for Braking Point and a 'significant overhaul' for My Team mode
Garmin clippd integration
Garmin's golf watches just got a big software integration upgrade to help you improve your game