Jetpack, an extremely popular WordPress plugin that provides a variety of functions including security features for approximately five million websites, has received a critical security update following the discovery of a bug that has been lurking unnoticed since 2012.
Jetpack’s maintainers, Automattic, announced On Tuesday he worked closely with the WordPress security team to release an automatic patch for every version of Jetpack since 2.0.
The security hole is in Jetpack’s API and has been since version 2.0 was released over a decade ago, in 2012.
The vulnerability, which could allow site authors to manipulate any files in a WordPress installation, was found during an internal security audit.
If exploited, the flaw could have allowed a malicious hacker to modify content on the site, which could have compromised the security of other users and visitors to the site.
The good news is that Automatic says it has seen no evidence that the vulnerability has been used in malicious attacks. However, this is far from guaranteeing that the security hole has not been exploited.
If anything, now that the problem has been made public, there may now be more determined attempts by cybercriminals to exploit the flaw – which highlights the importance for all vulnerable websites powered by WordPress to ensure they are running a secure version of Jetpack.
Fortunately, WordPress has a fairly robust system of automatically pushing critical security updates in such situations, and almost all WordPress-powered websites at risk have already been automatically updated to a secure version of the Jetpack plugin.
Jetpack, just like WordPress, is open source. This means that anyone can inspect the source code, and it is often argued that one of the advantages of open source is that it means that security holes are more likely to be found.
And yet this security vulnerability went undetected for over ten years.
Just because anyone can test open source for critical security vulnerabilities doesn’t necessarily mean anyone does.
Editor’s note: The views expressed in this guest article are solely those of the contributor, and do not necessarily reflect those of Tripwire.
