Posted on May 31, 2023 at 8:50 AM
WordPress force installs a security patch to resolve a critical flaw in the Jetpack plug-in
The owner of WordPress, Automat, has started the process of force installing a security update on millions of websites. The security update is being installed with the help of the WordPress Security Team. The patch will help address a critical vulnerability seen in the Jetpack plug-in.
WordPress force installs a security patch
Jetpack is one of the most popular plug-ins that are available in the market. This plug-in provides access to free security and performance and also improves the management of a website. Some of the changes that are implemented with this plug-in include site backups, protection from brute force attacks, secure login details, ability to scan malware alongside a wide range of other features.
The official WordPress plug-in repository has also said that the plug-in that was maintained by Automattic had more than five million active installations. The Developer Relations Engineer, Jeremy Herve, commented on the development, saying that an internal security audit that was conducted had detected a vulnerability whereby the API available in the Jetpack since version 2.0 was released in 2012.
“During an internal security audit, we found a vulnerability with the API available in Jetpack since version 2.0, released in 2012. This vulnerability could be used by authors on a site to manipulate any files in the WordPress installation. We have no evidence that this vulnerability has been exploited in the wild. However, now that the update has been released, it is possible that someone will try to take advantage of this vulnerability,” Hervey said.
Herve has also issued an apology for the extra workload that the update might have caused to website owners and users. The company has also expressed its commitment to regularly conduct audits on all aspects of the codebase to ensure that the Jetpack site remains safe and all vulnerabilities that could be exploited by malicious actors are eliminated.
WordPress websites automatically install the Jetpack security patch
The security patch that is being automatically installed on all the WordPress websites has been labeled as Jetpack 12.1.1. WordPress has already started installing the plug-in, and it is currently available on over 4,130,000 websites that use every version of Jetpack that has ever existed since 2.0.
As such, the websites that are classified as the most vulnerable have already seen automated updates being installed, with these sites now using the latest version that is secure and free from any exploits. The rest of the websites that are seen as less vulnerable will also receive a security patch soon
Herve has also issued a caution to website admins to be aware of the growing threat to security vulnerability. The executive noted that there were no signs that the vulnerability had been exploited to trigger attacks. Website admins should also ensure that the sites they use are secure because of the likelihood of attackers picking up the details of the vulnerability and later creating exploits.
The WordPress websites that are most vulnerable to hacking exploits are the ones that have failed to install the necessary security patches. Herve noted that with the update now being released, there was a possibility that someone would attempt to exploit the flaw to compromise the sites that are slow to install the patch.
Herve further said that there was no evidence that the flaw had already been exploited in the wild. However, he has urged users to update their version of Jetpack as soon as possible to guarantee that their websites will remain secure and free from security exploits.
Herve has also said that the company had engaged the services of the WordPress.org Security Team to issue a patch to every version of the Jetpack plug-in since 2.0. The majority of websites have already been updated to a more secure version, while the rest will soon be automatically updated to prevent the likelihood of an attack happening.
However, it is not the first time that WordPress is taking matters into its own hands and automatically deployed security updates to protect its users. Such automatic updates are usually conducted to patch critical flaws in plug-ins or WordPress installations.
A similar occurrence was seen in 2020, where automatic updates were also installed on vulnerable sites. WordPress developer Samuel Wood released a statement at the time saying that the organization would install automatic security updates to support security releases for plug-ins as many times as possible.
These security releases have been installed since WordPress 3.7 was released to the market, and they have played a critical role in protecting WordPress sites from security exploits that would otherwise cause significant harm.
