Jetpack 3.4.3: Coordinated Security Release

Jetpack 3.4.3 contains a critical security update and you should update your sites and any you help manage as soon as possible.

Background

Sucuri notified us of an issue where improperly escaped URLs were being generated by a number of high-profile WordPress plugins, including Jetpack and Yoast. We’ve worked with the WordPress Security Team to coordinate a release which is being pushed out to all users. By the time we published this post (6pm GMT, April 20, 2015), if you haven’t opted out of auto-updates, your sites will update themselves automatically.

The Vulnerability

The vulnerability Sucuri discovered would allow an attacker to send a WordPress user with administrative rights a link which could execute malicious JavaScript. The vulnerability was introduced in Jetpack 3.0 and to date we have no evidence of this being exploited. However, now that this update is public, it’s more likely that exploits may occur. To avoid a breach, you should update your site as soon as possible.

How to Update

We have prepared and shipped updates to all affected versions of Jetpack. Unless you’ve opted out, your sites should update automatically – please check your sites to confirm that Jetpack plugin has been successfully updated to one of these versions: 3.0.3, 3.1.2, 3.2.2, 3.3.3, or 3.4.3.

If not, please visit the Plugins page in your Dashboard and update Jetpack from there or update all your sites in bulk from wordpress.com/plugins/jetpack.

Note: Not all plugins affected by this issue will be auto-updating, some will be releasing updates separately. For that reason, we highly recommend that you make ensure that all your plugins are up-to-date as updates are released over the next few days.

We also recommend updating any other plugins you may have installed to their latest version – not all plugins will be automatically updating (like Jetpack)

Feedback

As always, we greatly appreciate your continued use and support of Jetpack and we sincerely apologize for the inconvenience this has caused.

We take the security of your sites extremely seriously so please feel free to get in touch with our support team, create a new forum post, or leave a comment on this blog post if you have any concerns or problems updating.

We’d also like to extend our huge thanks to the crew on the WordPress Security Team who worked around the clock – and across timezones and several plugin teams – to coordinate today’s release.

Sam Hotchkiss

Sam currently leads development on the widely used Jetpack plugin at Automattic, he's started and run multiple successful companies, and enjoys taking photos when he gets the chance. When they're not traveling, Sam and his wife, Becky, live in beautiful New Mexico, where he passes the time by talking about himself in third person.