Jetpack pushes update to close critical security hole
Posted on 14 April 2014.
The developers of Jetpack, one of the most widely used WordPress plugins, are urging users to download and implement the latests versions that fix a critical security bug.

"During an internal security audit, we found a bug that allows an attacker to bypass a siteís access controls and publish posts. This vulnerability could be combined with other attacks to escalate access," George Stephanis, WordPress core contributor and leader of the Jetpack team shared last week, adding that the vulnerability was introduced with Jetpack 1.9, which was released in October 2012.

"Fortunately, we have no evidence of this being used in the wild. However, now that this update is public, itís just a matter of time before exploits occur. To avoid a breach, you should update your site as soon as possible," he warned.

The team is also been sending out the warning via emails to users. They are taking this very seriously: the WordPress security team was asked to push updates to every version of the plugin since 1.9 through coreís auto-update system, and the Jetpack team has asked hosts and network providers for help and force upgrades on the users they host.

Users who fail to update the plugin on their site run the danger of being disconnected from the Jetpack service until they move to fix the problem.

The updated versions can be downloaded directly from the plugin's official site, or one can use the plugin's dashboard to update it (go to Plugins > Installed Plugins > Jetpack).

"Finding and fixing bugs is a key part of software development," Stephanis noted at the end. "I canít promise there will never be another issue like this, but I can promise that when a problem is found we will do everything in our power to protect as many people as possible, as quickly as possible."

He also confirmed that the issue had nothing to do with the Heartbleed bug.


Banks and IT security: The elements of success

Nathan Horn-Mitchem, VP, Information Security Officer at Provident Bank, talks about delivering and maintaining IT security for 80 branches of the bank.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Fri, Mar 27th