Jetpack 3.4.3 contains a critical security update and you should update your sites and any you help manage as soon as possible.
Sucuri notified us of an issue where improperly escaped URLs were being generated by a number of high-profile WordPress plugins, including Jetpack and Yoast. We’ve worked with the WordPress Security Team to coordinate a release which is being pushed out to all users. By the time we published this post (6pm GMT, April 20, 2015), if you haven’t opted out of auto-updates, your sites will update themselves automatically.
How to Update
We have prepared and shipped updates to all affected versions of Jetpack. Unless you’ve opted out, your sites should update automatically – please check your sites to confirm that Jetpack plugin has been successfully updated to one of these versions: 3.0.3, 3.1.2, 3.2.2, 3.3.3, or 3.4.3.
If not, please visit the Plugins page in your Dashboard and update Jetpack from there or update all your sites in bulk from wordpress.com/plugins/jetpack.
Note: Not all plugins affected by this issue will be auto-updating, some will be releasing updates separately. For that reason, we highly recommend that you make ensure that all your plugins are up-to-date as updates are released over the next few days.
We also recommend updating any other plugins you may have installed to their latest version – not all plugins will be automatically updating (like Jetpack)
As always, we greatly appreciate your continued use and support of Jetpack and we sincerely apologize for the inconvenience this has caused.
We take the security of your sites extremely seriously so please feel free to get in touch with our support team, create a new forum post, or leave a comment on this blog post if you have any concerns or problems updating.
We’d also like to extend our huge thanks to the crew on the WordPress Security Team who worked around the clock – and across timezones and several plugin teams – to coordinate today’s release.