Jetpack fixes 8-year-old vulnerability affecting millions of WordPress sites

Written by

Published 19 Oct 2024

Fact checked by

NSFW AI Why trust Greenbot

We maintain a strict editorial policy dedicated to factual accuracy, relevance, and impartiality. Our content is written and edited by top industry professionals with first-hand experience. The content undergoes thorough review by experienced editors to guarantee and adherence to the highest standards of reporting and publishing.

Disclosure

Free Blogging Typing photo and picture

Jetpack rolled out a critical security update last week to address a vulnerability in its Contact Form feature that has existed since 2016. The vulnerability potentially allows logged-in users to access sensitive information submitted by site visitors, prompting administrators of approximately 101 affected versions, dating back to version 3.9.9, to verify their installations and apply the latest patch.

According to Jetpack’s development team, the flaw was uncovered during an internal security audit. They stated, “During an internal security audit, we found a vulnerability with the Contact Form feature in Jetpack. Any logged-in users could use this vulnerability on a site to read forms submitted by visitors on the site.” Despite the patch being automatically deployed to affected websites, the company urges administrators to manually verify that they are running the latest version to mitigate risks.

The Jetpack plugin is a widely-used tool developed by Automattic, the same company behind WordPress.com, and is estimated to be present on approximately 27 million websites. With its widespread adoption, the potential impact of the flaw is significant. While Jetpack has reported no evidence of the vulnerability being exploited in the wild, the company cautions that attackers may now attempt to use the flaw now that it has been publicly disclosed.

“Now that the update has been released, it is possible that someone will try to take advantage of this vulnerability,” Jetpack noted in its statement.

As site administrators work to ensure their sites are secure, the importance of timely updates has become more apparent in the context of recent cybersecurity developments. For example, another critical vulnerability, CVE-2024-40711, was recently reported in Veeam Backup & Replication software. With a CVSS score of 9.8, this deserialization flaw allows unauthenticated remote code execution and is present in versions 12.1.2.172 and earlier. Administrators are advised to apply the patch immediately to avoid potential exploits.

In parallel, the European Union has also rolled out new regulations to improve cybersecurity across critical infrastructure sectors. The NIS2 directive, implemented in 2023, now requires companies in critical sectors to report cyber incidents within 24 hours and disclose information loss within 72 hours. Failure to comply could result in fines of up to €10 million or 2% of a company’s global turnover. EU antitrust chief Margrethe Vestager commented, “In today’s cybersecurity landscape, stepping up our capabilities, security requirements and rapid information sharing with up-to-date rules is of paramount importance. I urge the remaining Member States to implement these rules at national level as fast as possible.”

While site administrators focus on updates and patching, there is some positive news in cybersecurity, particularly for educational institutions in the UK. The UK’s National Cyber Security Centre (NCSC) has extended its protective DNS (PDNS) service trial, offering free DNS filtering to schools to prevent malware and other threats. Stephen Morgan, UK Minister for Early Education, stated, “We have worked closely with the [NCSC] on this service to ensure all schools can now benefit from enhanced cyber resilience at no cost to them and I encourage settings to take advantage of this enhanced protection.”

The urgency surrounding cybersecurity updates is underscored by a recent report from Google’s Mandiant division, which found that the time-to-exploit (TTE) for newly discovered vulnerabilities has drastically decreased.

According to Mandiant, the average time to exploit fell from 32 days in 2022 to just five days in 2023. “The shifting ratio appears to be influenced more from the recent increase in zero-day usage and detection rather than a drop in n-day usage,” Mandiant noted. This trend highlights the necessity for organizations to quickly respond to vulnerabilities like the one discovered in Jetpack.

As cybersecurity threats evolve, administrators and organizations alike are urged to remain vigilant, applying patches swiftly and ensuring compliance with updated regulations to safeguard their digital environments.