With the release of Jetpack 3.7.1 and 3.7.2 this week, we’ve added some important security updates and bug fixes. We strongly encourage that you update your sites to the latest version as soon as possible.
In Jetpack 3.7.1 we made a lot of improvements to the plugin, including some important security fixes:
- Jetpack versions 3.7.0 and earlier are vulnerable to a cross-site scripting vulnerability in the contact form due to improper input sanitization. Reported by Marc-Alexandre Montpas from Sucuri.
- Jetpack version 3.7.0 is vulnerable to an information disclosure vulnerability in certain hosting configurations. Reported by Jaime Delgado Horna of Listae.
Other notable updates in this release include:
- Updating the Google+ logo in our sharing buttons.
- Adding custom capabilities for module management for multisite installs.
- Fixing a bug that was sending the contact form response fields in the wrong order.
In Jetpack 3.7.2, we fixed an error with the REST API that created multiple drafts and multiple published posts when posting using the REST API.
Full changelog can be found on our plugin page.
Thanks to everyone who contributed to these two releases: Alexander Kirk, Andrew Duthie, Brandon Kraft, Dennis Snell, Derek Smart, Dion Hulse, Eduardo Reveles, Enej Bajgoric, Eric Binnion, George Stephanis, Gregory Cornelius, Igor Zinovyev, James Nylen, Jeremy Herve, Jesse Friedman, Joen Asmussen, Joey Kudish, Kat Hagan, Marcus Kazmierczak, Miguel Lezama, Sam Hotchkiss, and Timmy Crawford.