Jetpack released version 2.9.3 today. This is a critical security update that fixes a potentially serious threat that has been present in Jetpack since version 1.9, released in October 2012. George Stephanis explained the vulnerability in the release announcement:
During an internal security audit, we found a bug that allows an attacker to bypass a site’s access controls and publish posts. This vulnerability could be combined with other attacks to escalate access.
At this time, the Jetpack team has no evidence that the vulnerability has been exploited on any sites running the plugin. However, now that it has been disclosed publicly, every WordPress site administrator that is using Jetpack is strongly encouraged to prioritize this update and take immediate action for all sites that you manage.
To give you an idea of the severity of this bug, Stephanis said sites that continue running old versions of the plugin may soon be disconnected from the Jetpack service for their own security. Here’s what they’re doing to mitigate the threat:
This is a bad bug, and Jetpack is one of the most widely used plugins in the WordPress world. We have been working closely with the WordPress security team, which has pushed updates to every version of the plugin since 1.9 through core’s auto-update system. We have also coordinated with a number of hosts and network providers to install network-wide blocks to mitigate the impact of this vulnerability, but the only sure fix is updating the plugin.
Sites that can receive automatic background updates may already have the updated version of Jetpack. All others will be prompted to update manually.
The Jetpack team has prepared point releases for all 11 previous versions that are vulnerable to this threat. They will be reaching out to admins of sites that are still running the old versions to make them aware of the critical update. Sites that do not update will not be allowed to reconnect to the Jetpack service.
If you operate a WordPress site running Jetpack or have client sites using the plugin, you will need to take action immediately, especially if your site’s functionality depends heavily on the Jetpack service.