Jetpack Plugin for WordPress Fixes Critical Security Flaw Impacting 27 Million Websites

Jetpack, a widely-used WordPress plugin owned by Automattic, has released a crucial security update to address a vulnerability that could allow logged-in users to access form submissions from other users. Jetpack, known for its suite of tools enhancing website security, performance, and traffic growth, is currently active on over 27 million WordPress sites.

The vulnerability, first discovered by Jetpack during an internal security audit, has been present since version 3.9.9, which was released in 2016. It specifically affects Jetpack’s Contact Form feature, enabling any logged-in user on a site to potentially read visitor-submitted forms. According to Jeremy Herve of Jetpack, the issue is now resolved.

Jetpack collaborated closely with the WordPress.org Security Team to automatically update the plugin on affected sites, ensuring that the issue was addressed swiftly. The vulnerability has been fixed in 101 different versions of Jetpack, including versions 13.9.1, 13.8.2, and many more going back to version 3.9.10.

While there is no evidence that this vulnerability has been exploited, public disclosure may increase the risk of future attacks. It’s also notable that in June 2023, Jetpack released a similar security patch for another critical flaw that had existed since 2012.

This update comes amid a dispute between WordPress founder Matt Mullenweg and WP Engine, a hosting provider. WordPress.org has recently taken control of WP Engine’s Advanced Custom Fields (ACF) plugin, creating its own fork, dubbed Secure Custom Fields.

In response to WP Engine’s criticism, WordPress stated that WP Engine’s plugin remains insecure and that advising users to avoid Secure Custom Fields until the vulnerability is addressed is a failure of responsibility to customers. WordPress noted that it had privately notified WP Engine of the issue but received no response. WP Engine, in a post on X, argued that WordPress has never “unilaterally and forcibly” taken control of an actively developed plugin without the creator’s consent. However, WordPress countered, stating that such actions have occurred multiple times and that it reserves the right to disable, remove, or modify any plugin for public safety without developer consent.