WordPress recently force-installed a patch on more than five million websites in an attempt at keeping them safe from a newly discovered, high-severity flaw.
The flaw was found in Jetpack, one of the most popular plugins for the famed website builder, which offers additional security, performance, and website management capabilities.
According to WordPress parent company Automattic, the plugin has more than five million active installations, with admins use it to back their sites up, to protect against brute-force attacks, to scan for malware attacks, and more.
Most sites secured
“During an internal security audit, we found a vulnerability with the API available in Jetpack since version 2.0, released in 2012,” Auttomatic Developer Relations Engineer Jeremy Herve said. “This vulnerability could be used by authors on a site to manipulate any files in the WordPress installation.”
As of May 30, Jetpack 12.1.1 was downloaded and installed on more than 4,350,000 websites, according to official WordPress data. That makes up roughly 45% of the entire WordPress ecosystem, meaning roughly 55% is left unprotected. To avoid confusion, this includes both active and inactive installations. The majority of active websites have been patched, it would seem.
There is no evidence of the flaw being abused in the wild, Herve said, further stating that this will now probably change once the vulnerability gets public exposure.
“We have no evidence that this vulnerability has been exploited in the wild. However, now that the update has been released, it is possible that someone will try to take advantage of this vulnerability,” he added.
“Please update your version of Jetpack as soon as possible to ensure the security of your site. To help you in this process, we have worked closely with the WordPress.org Security Team to release patched versions of every version of Jetpack since 2.0. Most websites have been or will soon be automatically updated to a secured version.”
The last time WordPress force-installed a major update was almost a year ago, in June 2022, when it addressed a high-severity flaw in Ninja Forms. The plugin, which boasted more than a million installations at the time, allowed potential threat actors to completely take over a vulnerable website.
Unlike the Jetpack vulnerability, Ninja Forms’ flaw was being abused in the wild, researchers were saying at the time. Users were urged to make sure their plugin was updated to version 3.6.11, in case the automatic update fails for whatever reason.