The software program firm behind well-liked running a blog platform WordPress is mechanically updating over 5 million installations of its Jetpack plugin after a important vulnerability was found in it.
Automattic, which additionally counts Jetpack as considered one of its subsidiaries, started the replace yesterday to carry customers updated with the brand new model, 12.1.1.
“Throughout an inside safety audit, we discovered a vulnerability with the API accessible in Jetpack since model 2.0, launched in 2012,” defined developer relations engineer at Automattic, Jeremy Herve. “This vulnerability could possibly be utilized by authors on a web site to control any information within the WordPress set up.”
Herve, claimed there isn’t a proof the vulnerability has been exploited within the wild.
“Nevertheless, now that the replace has been launched, it’s potential that somebody will attempt to benefit from this vulnerability,” he cautioned.
“That can assist you on this course of, now we have labored carefully with the WordPress.org Safety Group to launch patched variations of each model of Jetpack since 2.0. Most web sites have been or will quickly be mechanically up to date to a secured model.”
Herve listed 102 new variations of Jetpack launched yesterday to remediate the bug.
Read more on WordPress threats: High Severity WordPress Plugin Bug Hits Three Million
Jetpack is designed to supply customers a spread of safety features, together with automated backups and one-click restores, an internet software firewall, malware scans and brute-force assault safety. These come alongside capabilities for optimizing and customizing websites and gaining visibility into efficiency.
These capabilities earned Jetpack thousands and thousands of world downloads.
Though pretty unusual, automated updates have been issued by Automattic previously to repair safety points.
In June 2022, for instance, it force-installed an replace to the favored Ninja Types plugin after over 1,000,000 websites have been discovered uncovered to a brand new vulnerability being actively exploited within the wild.
WordPress and its plugins stay a significant goal for menace actors.
Safety agency Wordfence claimed in 2020 that attackers have been utilizing automated instruments to seek for websites nonetheless working an outdated model of the File Supervisor plugin containing a zero-day bug.
Editorial picture credit score: Postmodern Studio / Shutterstock.com
