Millions of WordPress sites just got a major security upgrade

News
By published

Forced update fixed an urgent flaw in WordPress Jetpack plugin

WordPress logo
(Image credit: Pixabay)

The developers of Jetpack, a hugely popular WordPress plugin, have force-installed an urgent update to fix a flaw that threatened the security of more than five million websites. 

As reported by Bleeping Computer, a user that goes by the alias nguyenhg_vcs, discovered a security bug in how Jetpack handles comments for different images. Once identified, Automattic (the company that built and manages both WordPress, one of the world’s most popular content management systems and Jetpack, a plugin that offers many benefits, from additional security, improved performance, to various management features) prepared a security update and, due to the severity of the threat, decided to push it onto everyone.

So far, approximately five million websites have been updated, with the downloads statistics page showing almost all affected sites secured. We don’t know the details on what the bug actually allows hackers to do, but we do know that Automattic fixed it by adding further authorization logic.

Versions almost a decade old were affected, it was added, as the patch addresses the issue starting with Jetpack 2.0.

No evidence of exploits

Automattic says there is no evidence of the flaw being used in the wild, but now that it’s out in the open, it might very well start being used. 

“Now that the update has been released, it is only a matter of time before someone tries to take advantage of this vulnerability," the developers said.

"To help you in this process, we worked with the WordPress.org Security Team to release patched versions of every version of Jetpack since 2.0," Automattic said. "Most websites have been or will soon be automatically updated to a secured version."

Forced updates aren’t something webmasters are particularly fond of, and are often vocal about the problems they cause to the site layout and its performance. Addressing the issue on Twitter years ago, WordPress lead developer Andrew Nacin said the company only did it a handful of times.

In 2019, Bleeping Computer reminds, the developers pushed a critical security update to Jetpack users, fixing a bug in how it processed embed code.

Via: Bleeping Computer

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
Another serious WordPress plugin vulnerability could put 40,000 sites at risk of attack
Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
This top WordPress plugin could be hiding a worrying security flaw, so be on your guard
Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
Thousands of WordPress websites hit in new malware attack, here's what we know
Wordpress brand logo on computer screen. Man typing on the keyboard.
Thousands of WordPress sites targeted with malicious plugin backdoor attacks
WordPress
Another top WordPress plugin found carrying critical security flaws
Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
Over a million WordPress sites exposed to attack from W3 Total Cache plugin flaw
Latest in Website Building
Wix automation
The world's leading website builder aims to save businesses time with new tool
Squarespace
Build a website for less with 10% off Squarespace subscriptions
Squarespace
Fresh season, fresh start— launch your dream website with Squarespace with this offer
Wix Printful
Wix teams up with Printful for in-house print-on-demand tools
Squarespace
Don't miss out on this great Squarespace deal
Hostinger Website Builder vs WordPress.com: Which is better?
Hostinger Website Builder vs WordPress.com: Battle of the WordPress website builders
Latest in News
Hisense U8 series TV on wall in living room
Hisense announces 2025 mini-LED TV lineup, with screen sizes up to 100 inches – and a surprising smart TV switch
Nintendo Music teaser art
Nintendo Music expands its library with songs from Kirby and the Forgotten Land and Tetris
An image of Pro-Ject's Flatten it closed and opened
Pro-Ject’s new vinyl flattener will fix any warped LPs you inadvertently buy on Record Store Day
The iPhone 16 Pro on a grey background
iPhone 17 Pro tipped to get 8K video recording – but I want these 3 video features instead
EA Sports F1 25 promotional image featuring drivers Oscar Piastri, Carlos Sainz and Oliver Bearman.
F1 25 has been officially announced, with this year's entry marking a return for Braking Point and a 'significant overhaul' for My Team mode
Garmin clippd integration
Garmin's golf watches just got a big software integration upgrade to help you improve your game
More about website building
Squarespace

Fresh season, fresh start— launch your dream website with Squarespace with this offer
Wix automation

The world's leading website builder aims to save businesses time with new tool
Samsung Galaxy Z Flip 6 in blue

5 things I want from the Samsung Galaxy Z Flip 7

See more latest
Most Popular
An AI face in profile against a digital background.
The race to trillion-parameter model training in AI is on, and this company thinks it can manage it for less than $100,000
Hisense U8 series TV on wall in living room
Hisense announces 2025 mini-LED TV lineup, with screen sizes up to 100 inches – and a surprising smart TV switch
Ninkear MBOX 8 Pro
This mini PC has a detachable docking station that hides a hard drive, and I am not convinced whether it's a good idea
Nintendo Music teaser art
Nintendo Music expands its library with songs from Kirby and the Forgotten Land and Tetris
The iPhone 16 Pro on a grey background
iPhone 17 Pro tipped to get 8K video recording – but I want these 3 video features instead
CoreWeave
Is CoreWeave another WeWork? Blogger who caused Nvidia market capitalization to drop by $600 billion in a day thinks so
Discord Clyde
Discord's game overlay has seen a complete revamp - I've tried it, and it's one of the best updates ever
Swiss flag with view of Geneva city, Switzerland
Secure encryption and online anonymity are now at risk in Switzerland – here's what you need to know
Data leak
Top home hardware firm data leak could see millions of customers affected
An image of Pro-Ject's Flatten it closed and opened
Pro-Ject’s new vinyl flattener will fix any warped LPs you inadvertently buy on Record Store Day