A critical vulnerability has been identified in the Jetpack WordPress plugin, impacting approximately 27 million websites. This issue allows logged-in users to access submitted forms from other users, which can compromise the privacy and security of user data.

Affected Systems:

• WordPress Jetpack plugin: All versions from 3.9.9 to 13.9

Security Risks

The identified vulnerability may enable unauthorized access to submitted forms, posing significant risks to data confidentiality and undermining user trust.

For the full list of the 101 different versions of Jetpack of security patches released by Jetpack, please refer to Jetpack Security updates.

Recommended Actions

The National Cyber Security Authority (NCSA) strongly recommends to system administrators to:

• Follow and put in place the security updates shared by Jetpack to lower the risk of this vulnerability.

• Apply the required and latest security updates as soon as possible.

• The released software version to upgrade to is:

  • • WordPress Jetpack plugin version 13.9.1 or any later version.  

• Before any update task, please ensure you have a recent backup that can easily be restored.

For further information and support, please contact NCSA by email at rwcsirt@ncsa.gov.rw or call us on 9009.

References

• https://jetpack.com/blog/jetpack-13-9-1-critical-security-update/

• https://thehackernews.com/2024/10/wordpress-plugin-jetpack-patches-major.html

• https://jetpack.com/newsroom/