Automattic on Monday announced patches for 101 versions of the popular WordPress security plugin Jetpack, to resolve a critical-severity vulnerability introduced in 2016.
The bug, which was discovered internally and does not have a CVE identifier yet, was introduced in Jetpack version 3.9.9 and affects all subsequent releases.
“During an internal security audit, we found a vulnerability with the Contact Form feature in Jetpack ever since version 3.9.9, released in 2016. This vulnerability could be used by any logged in users on a site to read forms submitted by visitors on the site,” Automattic announced.
To ensure that all WordPress websites using Jetpack are protected, the team decided to release a patch for each iteration of the plugin impacted by the bug, which amounted to a total of 101 updates being released.
Specifically, patches were released for all Jetpack versions between 3.9 and 13.9.
Website administrators are advised to check their Jetpack version and update to a patched release as soon as possible where necessary. If the website already runs one of the patched versions, it was automatically updated and no additional action is necessary.
Automattic says it has no evidence that the vulnerability has been exploited in attacks, but warns that threat actors might attempt to target it, now that updates have been released.
Jetpack is currently installed on more than four million websites, which makes it a tempting target for malicious actors.
“We apologize for any extra workload this may put on your shoulders today. We will continue to regularly audit all aspects of our codebase to ensure that your Jetpack site remains safe,” Automattic notes.
Related: Millions of Websites Susceptible to XSS Attack via OAuth Implementation Flaw
Related: Horizon3.ai Introduces AI-Assisted Service to Prioritize and Patch Vulnerabilities Faster
Related: WordPress Security Update 6.0.3 Patches 16 Vulnerabilities
Related: Former Employee Hacks Popular WordPress Plugin’s Website
