The developers behind Jetpack, one of WordPress' most popular plugins, have patched a serious flaw introduced in 2012 that would enable an attacker bypass access controls and publish posts to any website hosted on the blogging platform.
In a blog post on the Jetpack website, George Stephanis explained:
"During an internal security audit, we found a bug that allows an attacker to bypass a site’s access controls and publish posts. This vulnerability could be combined with other attacks to escalate access. This bug has existed since Jetpack 1.9, released in October 2012."
While there is no proof that the vulnerability has been used in the wild, Stephanis called it a "bad bug," due to the fact that Jetpack is one of the most widely used plugins for WordPress.
Jetpack enables self-hosted WordPress installations to use features commonly associated with paid WordPress.com subscriptions. It offers several features that add some flare to the typical WordPress website, without the need to install plugins and widgets individually.
There was no explanation given as to why the vulnerability wasn't discovered sooner, but Stephanis said that his team has been working with WordPress security team, as well as a number of web hosts and network providers to implement network-wide blocks to mitigate the flaw's impact.
But the only sure fix is to update.
Jetpack updates should be available though the WordPress auto-update feature, but anyone using it for their WordPress installation should check to ensure the plugin is current.
For those using the latest WordPress release, Jetpack should already be at version 2.9.3, which is the latest - patched - version of the plugin. If updates via the WordPress dashboard do not fix the issue, the latest download of Jetpack will.
"Sites that don’t update may be disconnected from the Jetpack service for their own security, and will be able to reconnect as soon as their version of Jetpack is updated," Stephanis wrote.