Jetpack 4.0.3: Critical Security Update

Jetpack 4.0.3 contains a critical security update, and you should update all the sites you manage as soon as possible. You can update through your dashboard, or download Jetpack manually here.

jetpack-security

We found a vulnerability in the way that some Jetpack shortcodes are processed. This bug has existed since Jetpack 2.0, released in November 2012. Thank you to Marc-Alexandre Montpas from Sucuri for his research and responsible disclosure of this issue.

Fortunately, we have no evidence of this being used in the wild. However, now that this update is public, it’s just a matter of time before someone attempts to exploit it. To avoid any problems, you should update your site as soon as possible.

We have been working closely with the WordPress security team, which has pushed updates to all impacted versions through core’s auto-update system. If you’ve updated to Jetpack 4.0.3 (or a secure version listed below), you’re in the clear. This security update not only fixes this vulnerability, but also fixes any potential exploits that may have been in place prior to the update. This is why upgrading to a secure version of Jetpack as soon as possible is so important.

If you’ve been using Akismet, you’re protected and have been since this vulnerability was first reported to our security team. Also, any sites using VaultPress 1.8.3 will already have the fix automatically applied to their sites. We still recommend updating Jetpack to ensure your site is protected.

We have prepared and shipped point releases for all twenty-one vulnerable branches of the Jetpack codebase: 2.0.7, 2.1.5, 2.2.8, 2.3.8, 2.4.5, 2.5.3, 2.6.4, 2.7.3, 2.8.3, 2.9.4, 3.0.4, 3.1.3, 3.2.3, 3.3.4, 3.4.4, 3.5.4, 3.6.2, 3.7.3, 3.8.3, 3.9.7, and 4.0.3. Downloads for each branch can be found here.

We have compiled some frequently asked questions (or FAQs) regarding this update with more information. If you need more detailed information about how to update Jetpack to the a secure version, you can follow the steps in our how-to guide.

Finding and fixing bugs is a key part of software development. We can’t promise there will never be another issue like this, but I can promise that when a problem is found we will do everything in our power to protect as many people as possible, as quickly as possible. We care deeply about each and every WordPress user.

Thanks go out to the security teams at both Automattic and WordPress core, the Jetpack support team, and, in particular: Brandon Kraft, Carolyn Sonnek, Dion Hulse, Dominik Schilling, Gary Pendergast, Marc-Alexandre Montpas, Nikolay Bachiyski, Sam Hotchkiss, George Stephanis, and Alexander Concha.

This entry was posted in Releases and tagged , , . Bookmark the permalink.

2 Responses to Jetpack 4.0.3: Critical Security Update

  1. Robert Felty says:

    Thanks for the quick fix

  2. Thanks for these Great facilities and services.

    Thanks a Lot . Thankyou Jetpack

  • Recent Comments

    freefincal on Share It Again: New Social Med…
    Richard Muscat on Share It Again: New Social Med…
    deanburell on Share It Again: New Social Med…
    Richard Muscat on Share It Again: New Social Med…
    Richard Muscat on Share It Again: New Social Med…
  • Archives

  • Enter your email address to follow this blog and receive notifications of new posts by email.

  • Relied on by millions of WordPress professionals worldwide.

    Install Free   See Pricing

    Created by Automattic: bringing the power of WordPress.com to every WordPress site.

    %d bloggers like this: