Automattic, the company behind the WordPress content management system, will force a security update to be deployed on more than 5 million websites running the Jetpack WordPress plugin.
Jetpack is a very popular WordPress plugin that provides free security, performance, and website management features, including brute force attack protection, website backup, secure login, and malware scanning. The plugin has more than 5 million active installs, and it is developed and maintained by Automattic, the company behind WordPress.
The vulnerability was discovered in the Carousel feature and its option to display comments for each picture with nguyenhg_vcs being the one credited for responsibly disclosing the security bug. In order to protect those sites that have not yet been updated, the details of this security vulnerability have not yet been made public. However, Automattic’s announcement stated that the vulnerability affects all versions starting from Jetpack 2.0, and can be traced back to November 2012.
The Jetpack development team added that the team has not found any evidence that the vulnerability has been exploited in the wild. Automattic plans to install the patch on all websites running vulnerable Jetpack versions by means of mandatory updates. At present, according to the download statistics provided on the WordPress plugin website, it is confirmed that security updates have been pushed to most websites.