The software company behind popular blogging platform WordPress is automatically updating over five million installations of its Jetpack plugin after a critical vulnerability was discovered in it.
Automattic, which also counts Jetpack as one of its subsidiaries, began the update yesterday to bring users up to date with the new version, 12.1.1.
“During an internal security audit, we found a vulnerability with the API available in Jetpack since version 2.0, released in 2012,” explained developer relations engineer at Automattic, Jeremy Herve. “This vulnerability could be used by authors on a site to manipulate any files in the WordPress installation.”
Herve, claimed there is no evidence the vulnerability has been exploited in the wild.
“However, now that the update has been released, it is possible that someone will try to take advantage of this vulnerability,” he cautioned.
“To help you in this process, we have worked closely with the WordPress.org Security Team to release patched versions of every version of Jetpack since 2.0. Most websites have been or will soon be automatically updated to a secured version.”
Herve listed 102 new versions of Jetpack released yesterday to remediate the bug.
Read more on WordPress threats: High Severity WordPress Plugin Bug Hits Three Million
Jetpack is designed to offer users a range of security features, including automated backups and one-click restores, a web application firewall, malware scans and brute-force attack protection. These come alongside capabilities for optimizing and customizing sites and gaining visibility into performance.
These capabilities earned Jetpack millions of global downloads.
Although fairly uncommon, automatic updates have been issued by Automattic in the past to fix security issues.
In June 2022, for example, it force-installed an update to the popular Ninja Forms plugin after over a million sites were found exposed to a new vulnerability being actively exploited in the wild.
WordPress and its plugins remain a major target for threat actors.
Security firm Wordfence claimed in 2020 that attackers were using automated tools to search for sites still running an outdated version of the File Manager plugin containing a zero-day bug.
Editorial image credit: Postmodern Studio / Shutterstock.com