Again, new reports of security flaws that could affect the millions of WordPress users, the most popular content management system (CMS), have appeared. According to web application security specialists, the presence of a critical vulnerability has been detected in Jetpack, one of the most widely used WordPress plugins.
Jetpack has free security, performance, and
website management features such as anti-malware analysis, secure login, backup
creation, and measures against some hacking activities, such as brute force
attacks. Jetpack, developed by Automattic
(WordPress parent company) is estimated to have more than five million
currently active users, so an exploitable security flaw would have a wide
reach.
Adham Sadaqah, a web application security
specialist, discovered the vulnerability while processing the plugin code. He subsequently
reported the flaw to the company according to the parameters set by the
cybersecurity community.
So far no further technical details about this
flaw have been revealed, as it is necessary to protect Jetpack active users
from exploitation risks. At this moment it is only known that the flaw affects
all versions of the plugin since 5.1. It is important to note that no evidence
of exploitation of this flaw in the wild has appeared.
After receiving the report, Automattic released
the security update 7.9.1, although web application security specialists
believe it is only a matter of time before a threat actor reverse-engineered
the security patch and the vulnerability is exploitable again, so the team in
charge of this plugin is expected to release automatic updates on a regular
basis.
The official WordPress site ensures that more
than 4 million Jetpack users have already implemented this update, and the
remaining users are invited to install the patch as soon as possible.
This is not the first time a security flaw is
discovered in Jetpack. According to experts from the International Institute of
Cyber Security (IICS), threats have developed some methods to install plugins
with backdoors on WordPress sites, exposing the security of millions of users.
