The Jetpack WordPress plugin, a powerful tool owned by WordPress maker Automattic, has recently addressed a critical security issue. This vulnerability allowed logged-in users to access forms submitted by others on the same site, posing a significant threat to user privacy.
With a user base of 27 million WordPress sites, Jetpack is known for boosting site safety, performance, and traffic growth through its all-in-one plugin suite.
Discovered during an internal security audit, the vulnerability has been present since version 3.9.9, released in 2016. The flaw was specifically found in the Contact Form feature of Jetpack, potentially enabling any logged-in user to view forms submitted by visitors.
Working closely with the WordPress.org Security Team, Jetpack promptly released 101 updated versions to automatically patch the security loophole across installations. While there is no evidence of exploitation in the wild, the public disclosure of the vulnerability necessitates immediate action to prevent any potential abuse.
In a related development, WordPress has taken control of WP Engine’s Advanced Custom Fields plugin, renaming it to Secure Custom Fields. This move comes amidst an ongoing dispute between WordPress founder Matt Mullenweg and hosting provider WP Engine. The update aims to enhance security by eliminating commercial upsells and addressing known vulnerabilities in the software.
It’s crucial for users to update their Jetpack plugin to the latest secure version to mitigate any potential risks. Additionally, staying informed about such security updates is essential to safeguard your online presence.
Follow us on Twitter and LinkedIn for more exclusive content and cybersecurity updates.