Again, new reports of security flaws that could affect the millions of WordPress users, the most popular content management system (CMS), have appeared. According to web application security specialists, the presence of a critical vulnerability has been detected in Jetpack, one of the most widely used WordPress plugins.
Jetpack has free security, performance, and website management features such as anti-malware analysis, secure login, backup creation, and measures against some hacking activities, such as brute force attacks. Jetpack, developed by Automattic (WordPress parent company) is estimated to have more than five million currently active users, so an exploitable security flaw would have a wide reach.
Adham Sadaqah, a web application security specialist, discovered the vulnerability while processing the plugin code. He subsequently reported the flaw to the company according to the parameters set by the cybersecurity community.
So far no further technical details about this flaw have been revealed, as it is necessary to protect Jetpack active users from exploitation risks. At this moment it is only known that the flaw affects all versions of the plugin since 5.1. It is important to note that no evidence of exploitation of this flaw in the wild has appeared.
After receiving the report, Automattic released the security update 7.9.1, although web application security specialists believe it is only a matter of time before a threat actor reverse-engineered the security patch and the vulnerability is exploitable again, so the team in charge of this plugin is expected to release automatic updates on a regular basis.
The official WordPress site ensures that more than 4 million Jetpack users have already implemented this update, and the remaining users are invited to install the patch as soon as possible.
This is not the first time a security flaw is discovered in Jetpack. According to experts from the International Institute of Cyber Security (IICS), threats have developed some methods to install plugins with backdoors on WordPress sites, exposing the security of millions of users.