The maintainers of the Jetpack WordPress plugin have launched a safety replace to remediate a important vulnerability that would enable logged-in customers to entry varieties submitted by others on a website.
Jetpack, owned by WordPress maker Automattic, is an all-in-one plugin that provides a complete suite of instruments to enhance website security, efficiency, and site visitors progress. It is used on 27 million WordPress websites, in line with its web site.
The problem is claimed to have been recognized by Jetpack throughout an inside safety audit and has persevered since model 3.9.9, launched in 2016.
The vulnerability resides within the Contact Kind characteristic in Jetpack, and “could possibly be utilized by any logged in customers on a website to learn varieties submitted by guests on the positioning,” Jetpack’s Jeremy Herve stated.
Jetpack stated it is labored intently with the WordPress.org Safety Staff to robotically replace the plugin to a protected model on put in websites.
The shortcoming has been addressed within the following 101 totally different variations of Jetpack –
13.9.1, 13.8.2, 13.7.1, 13.6.1, 13.5.1, 13.4.4, 13.3.2, 13.2.3, 13.1.4, 13.0.1, 12.9.4, 12.8.2, 12.7.2, 12.6.3, 12.5.1, 12.4.1, 12.3.1, 12.2.2, 12.1.2, 12.0.2, 11.9.3, 11.8.6, 11.7.3, 11.6.2, 11.5.3, 11.4.2, 11.3.4, 11.2.2, 11.1.4, 11.0.2, 10.9.3, 10.8.2, 10.7.2, 10.6.2, 10.5.3, 10.4.2, 10.3.2, 10.2.3, 10.1.2, 10.0.2, 9.9.3, 9.8.3, 9.7.3, 9.6.4, 9.5.5, 9.4.4, 9.3.5, 9.2.4, 9.1.3, 9.0.5, 8.9.4, 8.8.5, 8.7.4, 8.6.4, 8.5.3, 8.4.5, 8.3.3, 8.2.6, 8.1.4, 8.0.3, 7.9.4, 7.8.4, 7.7.6, 7.6.4, 7.5.7, 7.4.5, 7.3.5, 7.2.5, 7.1.5, 7.0.5, 6.9.4, 6.8.5, 6.7.4, 6.6.5, 6.5.4, 6.4.6, 6.3.7, 6.2.5, 6.1.5, 6.0.4, 5.9.4, 5.8.4, 5.7.5, 5.6.5, 5.5.5, 5.4.4, 5.3.4, 5.2.5, 5.1.4, 5.0.3, 4.9.3, 4.8.5, 4.7.4, 4.6.3, 4.5.3, 4.4.5, 4.3.5, 4.2.5, 4.1.4, 4.0.7, 3.9.10
Whereas there isn’t any proof that the vulnerability has ever been exploited within the wild, there’s a probability that it could possibly be abused going ahead in mild of public disclosure.
It is value noting that Jetpack rolled out comparable fixes for an additional important flaw within the Jetpack plugin in June 2023 that had been current since November 2012.
The event comes amid an ongoing dispute between WordPress founder Matt Mullenweg and internet hosting supplier WP Engine, with WordPress.org taking management of the latter’s Superior Customized Fields (ACF) plugin to create its personal fork known as Safe Customized Fields.
“SCF has been up to date to take away business upsells and repair a safety drawback,” Mullenweg stated. “This replace is as minimal as doable to repair the safety challenge.”
WordPress didn’t disclose the precise nature of the safety drawback, however stated it has to do with $_REQUEST. It additional stated the problem has been addressed in model 6.3.6.2 of Safe Customized Fields.
“Their code is at present insecure, and it’s a dereliction of their responsibility to clients for them to inform individuals to keep away from Safe Customized Fields till they repair their vulnerability,” WordPress famous. “Now we have additionally notified them of this privately, however they didn’t reply.”
WP Engine, in a publish on X, claimed WordPress has by no means “unilaterally and forcibly” taken an actively developed plugin “from its creator with out consent.”
In response, WordPress stated “this has occurred a number of occasions earlier than,” and that it reserves the proper to disable or take away any plugin from the listing, take away developer entry to a plugin, or change it “with out developer consent” within the curiosity of public security.
