The folks behind the Jetpack WordPress plugin have released a security update to address a critical vulnerability that could allow logged-in users to access forms submitted by others on the site.
Owned by WordPress makers Automattic, Jetpack is a an all-in-one plugin. which offers a wide range of tools to improve site security, performance and traffic growth. It is used on 27 million WordPress sites, according to its website.
The issue is said to have been discovered by Jetpack during an internal security audit and has persisted since version 3.9.9 released in 2016.
The vulnerability resides in the contact form feature in Jetpack and “could be used by any user logged in to the site to read forms submitted by visitors to the site,” Jetpack’s Jeremy Hervé said.
Jetpack said it works closely with the WordPress.org security team to automatically update the plugin to a secure version on installed sites.
The flaw has been fixed in the following 101 different versions of Jetpack –
13.9.1, 13.8.2, 13.7.1, 13.6.1, 13.5.1, 13.4.4, 13.3.2, 13.2.3, 13.1.4, 13.0.1, 12.9.4, 12.8.2, 12.7. 2, 12.6.3, 12.5.1, 12.4.1, 12.3.1, 12.2.2, 12.1.2, 12.0.2, 11.9.3, 11.8.6, 11.7.3, 11.6.2, 11.5.3, 11.4.2, 11.3.4, 11.2.2, 11.1.4, 11.0.2, 10.9.3, 10.8.2, 10.7.2, 10.6.2, 10.5.3, 10.4.2, 10.3.2, 10.2. 3, 10.1.2, 10.0.2, 9.9.3, 9.8.3, 9.7.3, 9.6.4, 9.5.5, 9.4.4, 9.3.5, 9.2.4, 9.1.3, 9.0.5, 8.9.4, 8.8.5, 8.7.4, 8.6.4, 8.5.3, 8.4.5, 8.3.3, 8.2.6, 8.1.4, 8.0.3, 7.9.4, 7.8.4, 7.7. 6, 7.6.4, 7.5.7, 7.4.5, 7.3.5, 7.2.5, 7.1.5, 7.0.5, 6.9.4, 6.8.5, 6.7.4, 6.6.5, 6.5.4, 6.4.6, 6.3.7, 6.2.5, 6.1.5, 6.0.4, 5.9.4, 5.8.4, 5.7.5, 5.6.5, 5.5.5, 5.4.4, 5.3.4, 5.2. 5, 5.1.4, 5.0.3, 4.9.3, 4.8.5, 4.7.4, 4.6.3, 4.5.3, 4.4.5, 4.3.5, 4.2.5, 4.1.4, 4.0.7, 3.9.10
While there is no evidence that the vulnerability has ever been exploited in the wild, there is a possibility that it could be exploited in the future in light of the public disclosure.
It should be noted that Jetpack has rolled out similar corrections for another critical flaw in the Jetpack plugin in June 2023, which has existed since November 2012.
The development takes place against the background of the continues dispute between WordPress founder Matt Mullenweg and hosting provider WP Engine, with WordPress.org taking control of the latter’s Advanced Custom Fields (ACF) plugin for create your own fork called Secure Custom Fields.
“SCF has been updated to remove commercial oversells and address the security issue,” Mullenweg said. “This update is as minimal as possible to address the security issue.”
WordPress did not disclose the exact nature of the security issue, but said it was related to $_REQUEST. It goes on to say that the issue has been resolved in version 6.3.6.2 of Secure Custom Fields.
“Their code is currently insecure and it is a dereliction of duty to their customers to tell people to avoid protected user fields until they fix their vulnerability,” WordPress. noted. “We also reported this to them privately, but they did not respond.”
WP Engine, in a post on X, argued WordPress has never “unilaterally and forcibly” taken an actively developed plugin “from its creator without consent.”
In response, WordPress said “this has happened a few times before”, and it has reserves the right to disable or remove any plugin from the directory, remove developer access to the plugin, or modify it “without the developer’s consent” in the interest of public safety.
