Jetpack 13.9.1: Critical Security Update

Earlier today we released a new version of Jetpack, 13.9.1. This release contains a critical security update. While we have no evidence that this vulnerability has been exploited yet, please update your version of Jetpack as soon as possible to ensure the security of your site.

To help you in this process, we have worked closely with the WordPress.org Plugins Team to release patched versions of every version of Jetpack since 3.9.9. Most websites have been or will soon be automatically updated to a secured version.

During an internal security audit, we found a vulnerability with the Contact Form feature in Jetpack ever since version 3.9.9, released in 2016. This vulnerability could be used by any logged in users on a site to read forms submitted by visitors on the site.

Here is a full list of the 101 different versions of Jetpack we’ve released today:

13.9.1, 13.8.2, 13.7.1, 13.6.1, 13.5.1, 13.4.4, 13.3.2, 13.2.3, 13.1.4, 13.0.1, 12.9.4, 12.8.2, 12.7.2, 12.6.3, 12.5.1, 12.4.1, 12.3.1, 12.2.2, 12.1.2, 12.0.2, 11.9.3, 11.8.6, 11.7.3, 11.6.2, 11.5.3, 11.4.2, 11.3.4, 11.2.2, 11.1.4, 11.0.2, 10.9.3, 10.8.2, 10.7.2, 10.6.2, 10.5.3, 10.4.2, 10.3.2, 10.2.3, 10.1.2, 10.0.2, 9.9.3, 9.8.3, 9.7.3, 9.6.4, 9.5.5, 9.4.4, 9.3.5, 9.2.4, 9.1.3, 9.0.5, 8.9.4, 8.8.5, 8.7.4, 8.6.4, 8.5.3, 8.4.5, 8.3.3, 8.2.6, 8.1.4, 8.0.3, 7.9.4, 7.8.4, 7.7.6, 7.6.4, 7.5.7, 7.4.5, 7.3.5, 7.2.5, 7.1.5, 7.0.5, 6.9.4, 6.8.5, 6.7.4, 6.6.5, 6.5.4, 6.4.6, 6.3.7, 6.2.5, 6.1.5, 6.0.4, 5.9.4, 5.8.4, 5.7.5, 5.6.5, 5.5.5, 5.4.4, 5.3.4, 5.2.5, 5.1.4, 5.0.3, 4.9.3, 4.8.5, 4.7.4, 4.6.3, 4.5.3, 4.4.5, 4.3.5, 4.2.5, 4.1.4, 4.0.7, 3.9.10.

If your site is running any of these versions, your website is not vulnerable to this issue anymore, it has been automatically updated to a secure version.

We have no evidence that this vulnerability has been exploited in the wild. However, now that the update has been released, it is possible that someone will try to take advantage of this vulnerability.

We apologize for any extra workload this may put on your shoulders today. We will continue to regularly audit all aspects of our codebase to ensure that your Jetpack site remains safe.

Jeremy Herve

WordPress, TV Series, music, kids, and board games. I think that's probably the best way to define me in a few words. 🙂 I work at Automattic where I lead a team building tools for bloggers and creators. I talk a lot about WordPress things, but also about all things open source in general. I live in Brittany, France, so you'll also find me sharing pictures from our beautiful region from time to time.