Admins and WordPress website owners are advised to install the Jetpack 7.9.1 Critical Security Update immediately to prevent potential attacks that may exploit a vulnerability that has existed since Jetpack 5.1. You can update your installation to the 7.9.1 version through your dashboard, or manually download the Jetpack 7.9.1 release here.

Jetpack is a highly popular WordPress plugin that provides free protection, performance, and site management features like site backups, secure logins, malware scanning, and brute-force attack defense. The software has more than 5 million active installs and has been developed and is currently managed by the organization behind WordPress, Automattic.

The vulnerability was discovered in the manner in which Jetpack interpreted embed code. Adham Sadaqah was the one credited for responsibly disclosing the security issue.

While not enough specifics about the security flaw have been released to secure the pages that have not yet been patched, Jetpack's announcement says the bug affects all versions beginning with the release of 5.1 and going back to July 2017.

The Jetpack developers note that until the release of the crucial Jetpack 7.9.1 security update, no evidence was found that the vulnerability was exploited in the wild.

Nonetheless, now that the upgrade has been released, it is only a matter of time before someone tries to take advantage of this vulnerability "the developers claim. The development team also claims they have collaborated with the Security Team to publish updates for every version of Jetpack since 5.1 and that" most websites have been or will soon be automatically updated to a secure version.

Currently, more than four million of the more than five million WordPress websites using Jetpack have been updated according to their entry on the WordPress plugins website. "Versions released today include: 5.1.1, 5.2.2, 5.3.1, 5.4.1, 5.5.2, 5.6.2, 5.7.2, 5.8.1, 5.9.1, 6.0.1, 6.1.2, 6.2.2, 6.3.4, 6.4.3, 6.5.1, 6.6.2, 6.7.1, 6.8.2, 6.9.1, 7.0.2, 7.1.2, 7.2.2, 7.3.2, 7.4.2, 7.5.4, 7.6.1, 7.7.3, 7.8.1, 7.9.1," The Dev team from Jetpack says.

If you are running any of these versions, your website is not vulnerable to this issue. But, if you’re not running the latest and greatest—7.9.1—your site is missing other security enhancements ..!

Last year, hackers also found a way to use weakly protected accounts and remote management feature of the Jetpack plugin to install backdoor plugins on WordPress websites.


Jetpack 7.9.1: Maintenance and Security Release HT / Source: Wordfence