Millions of WordPress Sites at Risk: Jetpack Plugin Vulnerability Exposed

The developers of the Jetpack plugin for WordPress have released a security update to address a critical vulnerability that allowed authorized users to access forms submitted by other site visitors.

Jetpack, owned by Automattic, offers a comprehensive suite of tools designed to enhance site security and performance. According to the plugin’s website, it is used on 27 million WordPress sites.

The vulnerability was discovered in Jetpack’s contact form feature during an internal security audit. It had been present since version 3.9.9, released in 2016. The issue permitted authorized users to view data submitted by visitors through the site’s forms.

Jetpack representative Jeremy Herve noted that the developers worked closely with the WordPress.org security team to automatically update the plugin to a secure version on all installed sites. The vulnerability was patched across versions of Jetpack from 13.9.1 to 3.9.10, with the full list of affected versions published on the developer’s website.

Although there is currently no evidence of the vulnerability being exploited by malicious actors, the risk of exploitation remains following the public disclosure of the issue.