Urgent WordPress Update Fixes Critical Flaw in Jetpack Plugin on Million of Sites

WordPress

WordPress has issued an automatic update to address a critical flaw in the Jetpack plugin that’s installed on over five million sites.

The vulnerability, which was unearthed during an internal security audit, resides in an API present in the plugin since version 2.0, which was released in November 2012.

“This vulnerability could be used by authors on a site to manipulate any files in the WordPress installation,” Jetpack said in an advisory. 102 new versions of Jetpack have been released to remediate the bug.

While there is no evidence the issue has been exploited in the wild, it’s not uncommon for flaws in popular WordPress plugins to be leveraged by threat actors looking to take over the sites for malicious ends.

This is not the first time severe security weaknesses in Jetpack have prompted WordPress to force install the patches.

In November 2019, Jetpack released version 7.9.1 to fix a defect in the way the plugin handled embed code that had existed since July 2017 (version 5.1).

The development also comes as Patchstack revealed a security flaw in the premium Gravity Forms plugin that could allow an unauthenticated user to inject arbitrary PHP code.

WordPress

The issue (CVE-2023-28782) impacts all versions from 2.7.3 and below. It has been addressed in version 2.7.4, which was made available on April 11, 2023.



Original Source


 

A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below

Buy Me A Coffee
Patreon

 To keep up to date follow us on the below channels.

join
Telegram
discord
Discord
reddit
Reddit
linkedin
LinkedIn