We found a vulnerability in the way Jetpack processed embed code that has existed since Jetpack 5.1, released in July 2017. Thank you to Adham Sadaqah for disclosing this issue to us in a responsible manner.
We have no evidence that this vulnerability has been exploited in the wild. However, now that the update has been released, it is only a matter of time before someone tries to take advantage of this vulnerability.
In addition to the security release, Jetpack 7.9.1 fixes a few other minor issues, including improved compatibility with Twenty Twenty, the new default theme for WordPress.
In addition to Jetpack 7.9.1, we worked with the WordPress.org Security Team to release patched versions of every version of Jetpack since 5.1. Most websites have been or will soon be automatically updated to a secured version. Versions released today include 5.1.1, 5.2.2, 5.3.1, 5.4.1, 5.5.2, 5.6.2, 5.7.2, 5.8.1, 5.9.1, 6.0.1, 6.1.2, 6.2.2, 6.3.4, 6.4.3, 6.5.1, 6.6.2, 6.7.1, 6.8.2, 6.9.1, 7.0.2, 7.1.2, 7.2.2, 7.3.2, 7.4.2, 7.5.4, 7.6.1, 7.7.3, 7.8.1, 7.9.1. If you are running any of these versions, your website is not vulnerable to this issue. But, if you’re not running the latest and greatest—7.9.1—your site is missing other security enhancements!
Jetpack 
Thanks Jetpack team.
LikeLike
What’s up with Jetpack 7.1.1 – is it vulnerable? You haven’t mentioned it above.
And another Question: Where is the information for widget visibility stored?
LikeLike
Jetpack 7.1 and Jetpack 7.1.1 are vulnerable. Your site would be offered or auto-updated to Jetpack 7.1.2 to patch it.
Widget visibilty is stored within the widget instance itself along with the widget’s own data.
LikeLike
Is Jetpack 7.1.2 available for WordPress 4.9.12? I’m not seeing it as an available update in the WordPress dashboard or from WP-CLI when checking for updates.
It looks like the minimum supported version should be WordPress 4.9, https://plugins.trac.wordpress.org/browser/jetpack/tags/7.1.2/jetpack.php. Any idea why the update might not be showing up as available? (sorry if this is a double post, not sure if my first comment got through)
LikeLiked by 1 person
Thanks for asking. I’ve checked with the WordPress.org team, which handles the system that offers upgrades to sites, and he made a tweak which should improve things for older versions of WordPress. You should see the upgrade soon if you still weren’t. Thanks for bringing this up.
LikeLiked by 2 people
Hi, we just received this email from WordPress says that ” We are reaching out to you today because we identified your site are a vulnerable version of the Jetpack plugin.
According to the author of this plugin, this issue has been patched in a recent update to the plugin.”
Is there anything we can do to fix it?
Thanks!
LikeLike
Hi Claudia,
Just update to the latest version of Jetpack–the full list of patched versions is in the post. Most sites would have been auto-updated to one of the above versions, but if your site is on a different version, please update.
LikeLike
Thank you for the quick reply! We do have the auto-update plugin, and we are using the latest version. But WordPress seems saying that the issue is causing by the recent update of the plugin. Maybe I get this wrong?
LikeLike
I believe you’re referring to an e-mail from WP Engine, your hosting provider. “this issue has been patched in a recent update to the plugin” is saying that the issue has been fixed in a recent update, so be sure to update to that version.
LikeLike
Got it, thank you so much!
LikeLike
Hi! I’m on v6.5 but I don’t see the update to 6.5.1 (I need to be kept in that brach because wp4.9.1 and can’t update right now)
What should i do to force it to update from 6.5 to 6.5.1? Thanks
LikeLike
Hi Juan,
In this case, you may use FTP/SFTP or File Manager (from your host) then:
1, delete wp-content/plugins/jetpack folder
2, download Jetpack 6.5.1 and unzip it
3, upload it to the same folder
You can download any Jetpack version in the dropdown here https://wordpress.org/plugins/jetpack/advanced/ . Specifically, the download link for Jetpack 6.5.1 is https://downloads.wordpress.org/plugin/jetpack.6.5.1.zip
LikeLike
Hi,
I’ve just updated the plugin and noticed that the dashboard seems to be missing its stylesheet. All links and content is displayed without any styling. Is this an issue with the plugin itself? I can’t re-produce the issue with the previous version I have install on a staging site, which is 7.8.1, which leads me to believe it’s an issue with the plugin and not my site files creating a conflict.
LikeLike
I haven’t seen or heard of that happening yet. Could you reach out via jetpack.com/contact-support/ with as much detail as possible regarding which styles appear off.
WordPress 5.3, also released recently, did update the admin styles too so there will be visible differences on WP 5.3 too.
LikeLike
Thanks for the reply. I probably spoke too soon, as it appears to be an issue with the latest WP version, as you suggested, as I see now that there are styling issues with other plugins I have installed as well.
LikeLike