Jetpack for WordPress pushes patch for two year-old flaw

The developers behind Jetpack, one of WordPress' most popular plugins, have patched a serious flaw introduced in 2012 that would enable an attacker bypass access controls and publish posts to any website hosted on the blogging platform.

In a blog post on the Jetpack website, George Stephanis explained:

"During an internal security audit, we found a bug that allows an attacker to bypass a site's access controls and publish posts. This vulnerability could be combined with other attacks to escalate access. This bug has existed since Jetpack 1.9, released in October 2012."

While there is no proof that the vulnerability has been used in the wild, Stephanis called it a "bad bug," due to the fact that Jetpack is one of the most widely used plugins for WordPress.

Jetpack enables self-hosted WordPress installations to use features commonly associated with paid subscriptions. It offers several features that add some flare to the typical WordPress website, without the need to install plugins and widgets individually.

There was no explanation given as to why the vulnerability wasn't discovered sooner, but Stephanis said that his team has been working with WordPress security team, as well as a number of web hosts and network providers to implement network-wide blocks to mitigate the flaw's impact.

But the only sure fix is to update.

Jetpack updates should be available though the WordPress auto-update feature, but anyone using it for their WordPress installation should check to ensure the plugin is current.

For those using the latest WordPress release, Jetpack should already be at version 2.9.3, which is the latest - patched - version of the plugin. If updates via the WordPress dashboard do not fix the issue, the latest download of Jetpack will.

"Sites that don't update may be disconnected from the Jetpack service for their own security, and will be able to reconnect as soon as their version of Jetpack is updated," Stephanis wrote.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

Tags Vulnerabilitiespatch managementWordpressjetpackapplication securityAccess control and authenticationExploits / vulnerabilities

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Steve Ragan

Latest Videos

More videos

Blog Posts