WordPress plugin Jetpack fixes nearly decade-old critical security flaw

The popular WordPress plugin Jetpack has released a critical security update, addressing a vulnerability that could have affected 27 million websites.

The flaw was found in the plugin’s contact form feature and had remained unpatched since 2016. This vulnerability could be exploited by any logged-in user on a site to read forms submitted by other users, according to Jetpack engineer Jeremy Herve.

“We have no evidence that this vulnerability has been exploited in the wild. However, now that the update has been released, it is possible that someone will try to take advantage of it,” Herve said in a statement on Tuesday.

He urged users to update to the latest version of the plugin. Jetpack also released fixes for every plugin version created since 2016. 

“Most websites have been or will soon be automatically updated to a secured version,” Jetpack statement reads.

Jetpack was developed by U.S.-based Automattic, the company behind WordPress, and provides security, performance, and marketing tools for users running their websites on the platform. The features it promotes include real‑time backups, automated malware scanning, spam protection and analytics.

This is not the first time Jetpack has fixed a years-old bug in its service. Last year, WordPress issued an automatic update to address a critical flaw in a plugin version released back in 2012. Threat actors could have exploited that flaw “to manipulate any files in the WordPress installation.”

The latest Jetpack security updates come as WordPress co-founder Matt Mullenweg revealed that the organization had taken over a popular WP Engine plugin to “remove commercial upsells and fix a security problem.” WP Engine is a third-party WordPress hosting service and a competitor of Automattic, where Mullenweg serves as CEO.

Mullenweg said WordPress has the right to remove or modify a plugin “without developer consent.” He also criticized WP Engine for not contributing enough to the open-source WordPress project.

Some developers have expressed concerns that they could find themselves at odds with Mullenweg and WordPress, which since its creation in 2003 has been open-source and free.