Jetpack 4.0.3: Critical Security Update

Jetpack 4.0.3 contains a critical security update, and you should update all the sites you manage as soon as possible. You can update through your dashboard, or download Jetpack manually here.

jetpack-security

We found a vulnerability in the way that some Jetpack shortcodes are processed. This bug has existed since Jetpack 2.0, released in November 2012. Thank you to Marc-Alexandre Montpas from Sucuri for his research and responsible disclosure of this issue.

Fortunately, we have no evidence of this being used in the wild. However, now that this update is public, it’s just a matter of time before someone attempts to exploit it. To avoid any problems, you should update your site as soon as possible.

We have been working closely with the WordPress security team, which has pushed updates to all impacted versions through core’s auto-update system. If you’ve updated to Jetpack 4.0.3 (or a secure version listed below), you’re in the clear. This security update not only fixes this vulnerability, but also fixes any potential exploits that may have been in place prior to the update. This is why upgrading to a secure version of Jetpack as soon as possible is so important.

If you’ve been using Akismet, you’re protected and have been since this vulnerability was first reported to our security team. Also, any sites using VaultPress 1.8.3 will already have the fix automatically applied to their sites. We still recommend updating Jetpack to ensure your site is protected.

We have prepared and shipped point releases for all twenty-one vulnerable branches of the Jetpack codebase: 2.0.7, 2.1.5, 2.2.8, 2.3.8, 2.4.5, 2.5.3, 2.6.4, 2.7.3, 2.8.3, 2.9.4, 3.0.4, 3.1.3, 3.2.3, 3.3.4, 3.4.4, 3.5.4, 3.6.2, 3.7.3, 3.8.3, 3.9.7, and 4.0.3. Downloads for each branch can be found here.

We have compiled some frequently asked questions (or FAQs) regarding this update with more information. If you need more detailed information about how to update Jetpack to the a secure version, you can follow the steps in our how-to guide.

Finding and fixing bugs is a key part of software development. We can’t promise there will never be another issue like this, but I can promise that when a problem is found we will do everything in our power to protect as many people as possible, as quickly as possible. We care deeply about each and every WordPress user.

Thanks go out to the security teams at both Automattic and WordPress core, the Jetpack support team, and, in particular: Brandon Kraft, Carolyn Sonnek, Dion Hulse, Dominik Schilling, Gary Pendergast, Marc-Alexandre Montpas, Nikolay Bachiyski, Sam Hotchkiss, George Stephanis, and Alexander Concha.

This entry was posted in Releases and tagged , , . Bookmark the permalink.

2 Responses to Jetpack 4.0.3: Critical Security Update

  1. Robert Felty says:

    Thanks for the quick fix

  2. Thanks for these Great facilities and services.

    Thanks a Lot . Thankyou Jetpack

  • Recent Comments

    Laura Plumb on Jetpack 4.5: Monetize your sit…
    Jetpack added VR sup… on Jetpack 4.5: Monetize your sit…
    Jeremy on Jetpack 4.5: Monetize your sit…
    Laura Plumb on Jetpack 4.5: Monetize your sit…
    Jeremy on Jetpack 4.5: Monetize your sit…
  • Archives

  • Enter your email address to follow this blog and receive notifications of new posts by email.

  • Install Jetpack to see our full lineup of features.

    Install Jetpack Now

    Don’t need every single Jetpack feature? No problem. Only activate what you want!

    %d bloggers like this: