Jetpack 4.0.3 contains a critical security update, and you should update all the sites you manage as soon as possible. You can update through your dashboard, or download Jetpack manually here.
We found a vulnerability in the way that some Jetpack shortcodes are processed. This bug has existed since Jetpack 2.0, released in November 2012. Thank you to Marc-Alexandre Montpas from Sucuri for his research and responsible disclosure of this issue.
Fortunately, we have no evidence of this being used in the wild. However, now that this update is public, it’s just a matter of time before someone attempts to exploit it. To avoid any problems, you should update your site as soon as possible.
We have been working closely with the WordPress security team, which has pushed updates to all impacted versions through core’s auto-update system. If you’ve updated to Jetpack 4.0.3 (or a secure version listed below), you’re in the clear. This security update not only fixes this vulnerability, but also fixes any potential exploits that may have been in place prior to the update. This is why upgrading to a secure version of Jetpack as soon as possible is so important.
If you’ve been using Akismet, you’re protected and have been since this vulnerability was first reported to our security team. Also, any sites using VaultPress 1.8.3 will already have the fix automatically applied to their sites. We still recommend updating Jetpack to ensure your site is protected.
We have prepared and shipped point releases for all twenty-one vulnerable branches of the Jetpack codebase: 2.0.7, 2.1.5, 2.2.8, 2.3.8, 2.4.5, 2.5.3, 2.6.4, 2.7.3, 2.8.3, 2.9.4, 3.0.4, 3.1.3, 3.2.3, 3.3.4, 3.4.4, 3.5.4, 3.6.2, 3.7.3, 3.8.3, 3.9.7, and 4.0.3. Downloads for each branch can be found here.
We have compiled some frequently asked questions (or FAQs) regarding this update with more information. If you need more detailed information about how to update Jetpack to the a secure version, you can follow the steps in our how-to guide.
Finding and fixing bugs is a key part of software development. We can’t promise there will never be another issue like this, but I can promise that when a problem is found we will do everything in our power to protect as many people as possible, as quickly as possible. We care deeply about each and every WordPress user.
Thanks go out to the security teams at both Automattic and WordPress core, the Jetpack support team, and, in particular: Brandon Kraft, Carolyn Sonnek, Dion Hulse, Dominik Schilling, Gary Pendergast, Marc-Alexandre Montpas, Nikolay Bachiyski, Sam Hotchkiss, George Stephanis, and Alexander Concha.