A critical flaw in the Jetpack WordPress Plugin could be exploited by threat actors to hack WordPress websites running flawed versions of the plugin.

A critical vulnerability affects the Jetpack WordPress Plugin version Jetpack 5.1. and later, admins and owners of WordPress websites are urged to update their installs to Jetpack version 7.9.1.

Jetpack is a popular WordPress plugin with over 5 million active installations that provides a suite of features for security, performance, and site management.

The popular plugin was developed and maintained by Automattic, the company behind WordPress. The flaw was responsibly disclosed by the researcher Adham Sadaqah, it resides in the way Jetpack processed embed code. “

The good news is that the maintainers of the popular WordPress plugin have no evidence that this vulnerability has been exploited in the wild.

“We found a vulnerability in the way Jetpack processed embed code that has existed since Jetpack 5.1, released in July 2017. Thank you to Adham Sadaqah for disclosing this issue to us in a responsible manner.” reads a blog post published on the Jetpack website.

“We have no evidence that this vulnerability has been exploited in the wild. However, now that the update has been released, it is only a matter of time before someone tries to take advantage of this vulnerability.”

At the time, both Sadaqah and the developers behind the plugin did not reveal details of the issue to avoid its exploitation by threat actors and to protect the sites that haven’t yet updated.

Experts pointed out that it is only a matter of time before attackers try to exploit this flaw.

The development team revealed that it worked with the WordPress.org Security Team to release patched versions of every version of Jetpack since 5.1.

Developers also say that they worked with the WordPress.org Security Team to release patches for every version of Jetpack since 5.1. Most websites have been or will soon be automatically updated.

At the time of writing over four million out of 5 million WordPress installs run updated versions of the plugin.

Versions released today include 5.1.1, 5.2.2, 5.3.1, 5.4.1, 5.5.2, 5.6.2, 5.7.2, 5.8.1, 5.9.1, 6.0.1, 6.1.2, 6.2.2, 6.3.4, 6.4.3, 6.5.1, 6.6.2, 6.7.1, 6.8.2, 6.9.1, 7.0.2, 7.1.2, 7.2.2, 7.3.2, 7.4.2, 7.5.4, 7.6.1, 7.7.3, 7.8.1, 7.9.1.

The latest version 7.9.1 also addressed other minor issues, including improved compatibility with Twenty Twenty, the new default theme for WordPress.

You can update your installation to the 7.9.1 version using the dashboard, or manually downloading the Jetpack 7.9.1 release here.

Pierluigi Paganini

(SecurityAffairs – WordPress, hacking)