During an internal security audit, we found a bug that allows an attacker to bypass a site’s access controls and publish posts. This vulnerability could be combined with other attacks to escalate access. This bug has existed since Jetpack 1.9, released in October 2012.
Fortunately, we have no evidence of this being used in the wild. However, now that this update is public, it’s just a matter of time before exploits occur. To avoid a breach, you should update your site as soon as possible. (The vulnerability has been disclosed on the MITRE Common Vulnerabilities and Exposures system as CVE-2014-0173.)
This is a bad bug, and Jetpack is one of the most widely used plugins in the WordPress world. We have been working closely with the WordPress security team, which has pushed updates to every version of the plugin since 1.9 through core’s auto-update system. We have also coordinated with a number of hosts and network providers to install network-wide blocks to mitigate the impact of this vulnerability, but the only sure fix is updating the plugin.
Over the next few hours, we will reach out to individuals whose sites are still running an insecure version. Sites that don’t update may be disconnected from the Jetpack service for their own security, and will be able to reconnect as soon as their version of Jetpack is updated.
If you host a large number of Jetpack-powered blogs, please leave your contact information in the comments so we can be in touch in the future. We have prepared and shipped point releases for all eleven vulnerable branches of the Jetpack codebase: 1.9.4, 2.0.6, 2.1.4, 2.2.7, 2.3.7, 2.4.4, 2.5.2, 2.6.3, 2.7.2, 2.8.2, and 2.9.3. If you can force these upgrades for your hosted users, it will prevent their sites from being compromised.
Finding and fixing bugs is a key part of software development. I can’t promise there will never be another issue like this, but I can promise that when a problem is found we will do everything in our power to protect as many people as possible, as quickly as possible. We care deeply about each and every WordPress user.
Jetpack 
Reblogged this on Portal of Delusion and commented:
Upgrade your Jetpack !
LikeLike
Thanks for all your hard work! I’ve shared this with my network and I am updating numerous sites now…
Definitely appreciate the work you all do.
LikeLike
Thank you for being proactive and doing your very best to protect affected sites.
LikeLike
There’s no option showing for updating Jetpack on my website.
DO I download it and install it new?
LikeLike
What version does WordPress say that you are running? You may have been automatically updated already.
LikeLike
from the paragraph above there is a very real implication that 2.9.3 is vulnerable as well. This is a souce of confusion … at least for me.
Read it! Think about it ! Tell us what you think!
————————————————————————————————————-
If you host a large number of Jetpack-powered blogs, please leave your contact information in the comments so we can be in touch in the future. We have prepared and shipped point releases for all eleven vulnerable branches of the Jetpack codebase: 1.9.4, 2.0.6, 2.1.4, 2.2.7, 2.3.7, 2.4.4, 2.5.2, 2.6.3, 2.7.2, 2.8.2, and 2.9.3. If you can force these upgrades for your hosted users, it will prevent their sites from being compromised.
——————————————————————————————————-
LikeLike
2.9.3 is secure.
When listing them, the eleven listed versions are the point releases that were shipped.
LikeLike
My website is not automatically updated, it is still showing jetpack 2.9.2 but there is no option to update the plugin. Can u plz look into this? I dont want to lose my jetpack settings.
LikeLike
Could you try to update the plugin manually, by following the instructions here? If you experience issues, send us an email!
LikeLike
You can simple do a manual update if you are not sure. I would deactivate and delete the old version, then install the latest version (which includes the update) from the Jectpack site or WordPress.org.
LikeLike
You need to go to Plugins/Installed Plugins. Scroll down to see your Jetpack installation. On the right at the bottom you should see what version you are running. If this is not 2.9.3 (the latest version) then you’ll see a notification below saying, “There is a new version of Jetpack..” and giving a link on the right of that to Update now. Just click on this and you’ll be updated to 2.9.3.
You can’t update from the Jetpack link at the top of the dashboard where you set up your modules, which is probably causing the confusion. You have to update from Plugins/Installed Plugins/Jetpack.
Hope this helps.
LikeLike
Hi there,
I am confused. I went to my site and do not see a security update for Jetpack.
Where should I look?
LikeLike
Hi there! What version of Jetpack does WordPress say that you are running? You may have been automatically updated already. You can find more info and step-by-step instructions here. And if you need any help, just let us know!
LikeLike
Ryan, Thank you for explaining that to suzanneshugar…. I was also very concerned and unable to feel confident with the information presented. A graphic is always good….thanks again..
LikeLike
You’re welcome! I definitely understand your concern, but as long as you update to the patched version you will be fine 🙂 Don’t hesitate to let us know if you have any questions!
LikeLike
Just look on plugin page which version you have. If it’s 2.9.3, then it’s already updated.
LikeLike
I can’t remember upgrading either, but on 90% of my sites Jetpack is up to date. I’m guessing my hosting company took care of that.
LikeLike
My site is running Jetpack 2.9.3, however this notice above say ”Jetpack version 2.9.3 contains a critical security update,” Clicking to download the new .zip file says 2.9.3 so what’s the difference between the one already running on the site and this new one? I’m not being prompted to upgrade in my dashboard either. What am I missing?
LikeLike
If you’re running 2.9.3, then you’re good. You already have the critical security update. 🙂
LikeLike
Thanks for the prompt response ‘tocayo’ 😉
LikeLike
Thanks for all the hard work and email notification, JetPack team! Updating my site right now…
LikeLike
As a software/web developer myself, and with the recent heartbleed vulnerability causing mass-hysteria, most of us know and understand that security issues can be found in any software at any time.
What I must admire, is the exceptional way in which the Jetpack and WordPress teams have handled this situation. It’s great to see that such dedication goes into the security of a product, and that the end users are kept so well informed!
IMHO, This makes a perfect case-study on handing security vulnerabilities “the right way”.
We passed on the level of customer care that you give us to our own customers, rolling out the update on both our own WordPress networks (containing a total of 21 sites) and our numerous client’s standalone sites as quickly as physically possible.
Great work guys,
Keep it up!
LikeLike
F***ing awesome response guys. As a dev I respect your admission and admire your quickness to respond when you found out about it. Well handled. Very happy.
LikeLike
I received an email that security vulnerability with the version of Jetpack active on my site. I actually cannot see it anymore on my site, but if I try to upload a new version of Jetpack: 2.9.3,it tells me that it’s already installed. It’s not in my plug in or on my dashboard. Help!
LikeLike
Is it perhaps running via a mu-plugins folder, or is it network-activated? If neither of these, please shoot in something via our contact form.
LikeLike
I dont see an option for auto update im currently on Version 2.3.5 what should i do ?
LikeLike
You can download version 2.3.7 manually here to update via FTP. If you need help updating, please contact support.
LikeLike
Thanks George , i will send a support ticket .. !
LikeLike
Do I need to first uninstall my current version of Jetpack 2.2.5, and then install a clean version of 2.9.3? I don’t see any other way. I see no prompts for an update to Jetpack whatsoever.
Having to completely uninstall it and then install a clean version runs counter to how I understand WordPress plugins are supposed to work. Am I missing something?
When I go to upload the latest version that I downloaded via Jetpack’s notification emails for all my sites, it won’t install because it won’t overwrite the existing Jetpack directory on the server.
Thoughts?
Thanks for the fast notification. Wish the upgrade was a little cleaner, though.
LikeLike
If you have FTP access, you can just overwrite the old plugin with the new that way. Alternately, deleting and reinstalling an up to date version will work, but you may need to enable/disable a few modules if the preferences get affected.
LikeLike
Tis the season for updates I guess – makes one’s heart bleed 🙂
@Buffered to all my networks….
LikeLike
The download is for the same version. Where is the correct one?
LikeLike
What version of Jetpack does WordPress say that you are running? You may have been automatically updated already. You can find more info and step-by-step instructions here. And if you need any help, send us an email!
LikeLike
Wait, does this mean only Jetpack-used plugins are unaffected after updating? (already did)
or is it sitewide?
LikeLike
If you’ve updated to a patched version of the plugin, Jetpack should work properly and the vulnerability is fixed.
But you can of course take measures to make the rest of your WordPress site secure, as explained here:
http://codex.wordpress.org/Hardening_WordPress
LikeLike
I’m on 2.0.2. Why am I not able to auto-update? What am I going to lose doing a manual update?
LikeLike
What version of WordPress are you on? You may need to update core first, to have the updater run as expected. We’ve just made a change for the older security releases, so you may be able to update them as-is — but we would still strongly encourage you to update core to current.
LikeLike
3.6.1, and updating core is non-trivial in this case.
I’ve removed the 2.0.2 plugins/jetpack and replaced it with 2.0.6. I did not deactivate first, the plugin says it is now 2.0.6, and I was not asked to reconnect with wordpress.com. Am I good for now? Anything missed?
LikeLike
Nope, you’re good.
LikeLike
Haha I didn’t check if my Jetpack was automatically updated before manually downloading the update and manually updating. Thanks to Jetpack I was in panic mode, thanks alot 🙂
LikeLike
Hi George,
The wording of this update notice is a bit confusing. It sez there are eleven vulnerable branches, then goes on to list them with v2.9.3 in the vulnerable group.
Then elsewhere in your comments you state that 2.9.3 is OK and NOT vulnerable. So perhaps there are only 10 vulnerable branches, or is there a 2.9.3.x un-shown version update.
Perhaps to save support time and traffic the notice could be rewritten to clarify the above.
Also, if it is a hidden 2.9.3.x update, is there a way (certain file version or date stamp) that would reveal the situation.
And, how does all this fit in with the new WP policy of doing back end security updates without user intervention.
thanks for the catch and quick posting to hosts…. great work!
bc
LikeLike
There are eleven vulnerable branches, 1.9-2.9 — version 2.9.3, along with the other ten listed versions, are secure.
LikeLike
I’m trying to update our WrodPress site, but when the update starts it takes me to Connection Info page and says my credentials are wrong for my FTP (which is correct, I recently changed the password). However, I am unable to make any edits to the password text box on the screen. Is there another place in WordPress I can update Jetpack with my new log in credentials?
LikeLike
Can you log into your web server via a FTP client such as Filezilla to update that way?
LikeLike
If I understood any of the words in your reply, I would do that. =] Sadly, I use WordPress because I am not Web site literate. Is Filezilla something I can download as well?
LikeLike
Can you send in a support request via jetpack.me/contact-support and one of our awesome Happiness Engineers will help you out? In the mean time, please deactivate Jetpack to keep your install secure.
LikeLike
Will do! I look forward to working with a Happiness Engineer. =]
LikeLike
Updated. No worries now?
LikeLike
If you’ve updated, you can rest assured. All is well with Jetpack on your site now.
LikeLike
I’m really confused. I received emails from Jetpack letting me know to update through the dashboard of my sites that has the plugin on, but when I went, I don’t see an option/prompt for me to upgrade. All of my sites have 2.9.3 version when I checked them. So, from my understanding with the emails/messages, 2.9.3 has a major bug and I have to update (re-update?) it to the same version?
Please clarify, thanks!
LikeLike
If you’re running 2.9.3, then you’re good. That version is secure. Your sites were automatically updated for you.
LikeLike
Thank you so much for letting me know. (whew!) 🙂
LikeLike
Hey, I got this message when updating the plugin…
“Updating Plugin Jetpack by WordPress.com (2/2)
Downloading update from https://downloads.wordpress.org/plugin/jetpack.2.7.2.zip…
Unpacking the update…
An error occurred while updating Jetpack by WordPress.com: Could not copy file. jetpack/_inc/images/footer-clouds-2x.png”
Please advice, thanks
LikeLike
Could you try to update the plugin manually, by following the instructions here? If you experience issues, send us an email!
LikeLike
Hey everyone,
when i try to update jetpack through my dashboard then it comes us as “download failed. couldn’t connect to host”
anyone got any ideas on how to get it updated?
any help will be much appreciated.
LikeLike
Could you try to update the plugin manually, by following the instructions here? If you experience issues, send us an email!
LikeLike
Thank you guys, I’ve got a notification from BlueHost about this update, and they’ve told me they are working to update all sites on their servers, so sweet!
LikeLike
Automatic update of plugin mixed up things. I had to uninstall the plugin and delete all files from file manager. Dont know what happened actually! It was giving error on line 85/86
LikeLike
If you still experience issues after the manual update, do not hesitate to send us an email!
LikeLiked by 1 person
Hello, Just so I am clear on what you are saying here, Am I correct in thinking that as long as the Jetpack I am running is 2.9.3 that is safe and anything other than 2.9.3 needs to be updated. Should there be an update on the WordPress sites that do not have Jetpack 2.9.3?
LikeLike
If you use Jetpack 2.9.3, you’re indeed safe.
If you run an old version of the plugin, you’ll need to update to 2.9.3, or to a patched version of your current Jetpack plugin. We’ve provided links to each point release for all eleven vulnerable branches of Jetpack in the article.
LikeLiked by 1 person
If Jetpack is already deactivated, is there a need to update?
LikeLike
Hi Meredith! As long as you haven’t connected to WordPress.com, you’re fine. You can find some more info about that here. Please let us know if you have any questions!
LikeLike
Great, thank you!
LikeLike
Does this apply to Slim Jetpack as well?
LikeLike
You’ll need to get in touch with the Slim Jetpack plugin authors to make sure.
Another alternative would be to use Jetpack’s development mode instead of this third-party plugin. The dev mode allows you to use Jetpack without connecting your site to a WordPress.com account. You can read more about it here:
http://jetpack.me/support/development-mode/
LikeLike
George: Thank you. I have updated my websites. I have just recently had my computer debugged so I’m hoping that the problem was found.
LikeLike
I just hit update so hope all is fine.
LikeLike
Just finished updating and changing a few settings. So… no more worries now?
LikeLike
If you’ve updated to one of the patched versions, the vulnerability is now fixed on your site. No more worries there!
LikeLike
Thank you for the heads up!
LikeLike
Something strange happened to me.
My site has WP 3.8.2 with jetpack 3.9.2. Since 10/04 the site stopped responding; in the error log I found this:
PHP Fatal error: require_once() [function.require]:
Failed opening required ‘…/wp-content/plugins/jetpack/class.jetpack.php’
(include_path=’.:/usr/lib/php:/usr/local/lib/php’) in …/wp-content/plugins/jetpack/jetpack.php on line 37
Looking in the folder “…/wp-content/plugins/jetpack/” I’ve found just a few files of those needed (comparing it to the zip file downloaded from here). All the files are dated “10/04/2014 23.44”, but nobody worked on the site last days. In the folder there is the “readme.txt”: opened, it contains referencing to the version 3.9.3 of jetpack.
It seems like someone (who? automatically?) tried to update the jetpack without completing the work.
What’s happened?
How can I see if the jetpack’s options stored in the db were modified?
Can I FTP upload the entire folder “jetpack” (3.9.2 or 3.9.3?) to revive the site?
Do I lost the options doing that?
Thanks
LikeLike
It seems the automatic update failed on your site. Could you try to update manually, as explained here:
http://jetpack.me/support/how-to-install-the-security-update/#download
You won’t lose any of your Jetpack options in the process.
If you experience more issues with the update, do not hesitate to send us an email!
http://jetpack.me/contact-support/
LikeLike
“automatic update”?
Does jetpack has an automatic update service?
However, I just uploaded the jetpack 3.9.3 via FTP, and all seems to be good: the site’s running and the options are safe.
LikeLike
As noted above,
We (the Jetpack team) didn’t actually push the auto-update, we put the update together and worked with some WordPress core developers who selected to auto-update WordPress sites that would accept it.
LikeLike
hello,
I am running wordpress 3.8.2. I have the plugin “Jetpack by WordPress.com” Version 2.5 and it doesn’t tell me to update anything, how comes? Do I have to find a way to do it manually?? Thanks.
LikeLike
Could you try to update manually, by following the instructions here;
http://jetpack.me/support/how-to-install-the-security-update/#download
If you experience issues during the update, do not hesitate to send us an email!
http://jetpack.me/contact-support/
LikeLike
Hey there I’m having a problem, my jetpack can’t be updated, since its failed to be updated I can’t find anymore my jetpack on the dashboard, when I’m trying the new installation, it was said destination folder already exist, plugin instal failed! Can someone help me?
LikeLike
Could you please contact one of our Happiness Engineers with your current WordPress version, plugin version, and whether you have FTP access handy via jetpack.me/contact-support? They’d be delighted to walk you through it.
LikeLike
Hi, I’m getting this error on one of my sites: “An error occurred while updating Jetpack by WordPress.com: Could not copy file. jetpack/_inc/images/footer-clouds-2x.png”
Any advice? Thanks!
LikeLike
Looks like your server may be running out of memory when installing the plugin — can you try installing via FTP?
LikeLike
I wasn’t running jetpack – but my site was hacked as described in this post here in the past week.
LikeLike
This applies only to sites that are running Jetpack. If you were hacked within the past week, but aren’t using Jetpack, then you must have another security hole somewhere else within your infrastructure.
LikeLike
I have a 3.5.1 WordPress. What is the highest version number of JetPack that I can install on my WordPress 3.5.1 ? At the moment I have got JetPack 2.2.7. How high I can go without updating WordPress ?
LikeLike
Jetpack version 2.6.3 supports back to Core version 3.5 officially as per its readme.txt
LikeLike
Why were Site Stats eliminated? I really liked that feature in Jetpack and was surprised to see it eliminated with no warning or mention.
LikeLike
The WordPress.com Stats module has not been eliminated.
LikeLike
Well, it completely disappeared from my site when I upgraded. No module on the Jetpack page in my dashboard, no chart at the top of the page when I’m logged in, and when I go to my stats via my bookmark, I get “You do not have sufficient permissions to access this page.” I’m not the only person with this problem, judging by some of the other forums I’ve been commenting on.
LikeLike
Could you please contact support via jetpack.me/contact-support/ ? It certainly should be showing, unless you have some other non-Jetpack code active that is intentionally disabling it.
LikeLike
My other thought is that perhaps your installation got a bit goofed with the upgrade — the zip didn’t fully unpack — so if you try reinstalling via FTP, it may show up again.
LikeLike
Turns out the issue is a conflict with the Subscribe2 widget. When I deactivate that, the Site Stats come back. I’ll have to wait until the Subscribe2 widget author resolves the problem in order to see site stats again.
LikeLike
thanks!
LikeLike