WordPress has addressed a critical flaw discovered in the Jetpack plugin, which had the potential to enable authors to manipulate files within the WordPress installation. The vulnerability came to light during an internal security audit and was found to exist in an API that has been present in the Jetpack plugin since its initial release back in November 2012.
Jetpack, the team behind the plugin, acknowledged the seriousness of the vulnerability and the potential risks it posed. While there is currently no evidence of the vulnerability being exploited in the wild, the team remains vigilant due to the history of popular WordPress plugins being targeted by threat actors for malicious purposes.
To ensure the security of users’ websites, WordPress has released an automatic update that includes 102 new versions of the Jetpack plugin, each tailored to meet the specific requirements of different WordPress users. The plugin team took immediate action upon discovering the vulnerability, swiftly developing patches and releasing the necessary updates.
This incident is not the first time Jetpack has encountered security weaknesses. In November 2019, version 7.9.1 of the plugin was released to address a defect related to the handling of embed code, which had persisted since July 2017 (version 5.1).
The sources for this piece include an article in TheHackerNews.