Breaking: Jetpack Releases Critical Security Update, Immediate Action Required


Jetpack released version 2.9.3 today. This is a critical security update that fixes a potentially serious threat that has been present in Jetpack since version 1.9, released in October 2012. George Stephanis explained the vulnerability in the release announcement:

During an internal security audit, we found a bug that allows an attacker to bypass a site’s access controls and publish posts. This vulnerability could be combined with other attacks to escalate access.

At this time, the Jetpack team has no evidence that the vulnerability has been exploited on any sites running the plugin. However, now that it has been disclosed publicly, every WordPress site administrator that is using Jetpack is strongly encouraged to prioritize this update and take immediate action for all sites that you manage.

To give you an idea of the severity of this bug, Stephanis said sites that continue running old versions of the plugin may soon be disconnected from the Jetpack service for their own security. Here’s what they’re doing to mitigate the threat:

This is a bad bug, and Jetpack is one of the most widely used plugins in the WordPress world. We have been working closely with the WordPress security team, which has pushed updates to every version of the plugin since 1.9 through core’s auto-update system. We have also coordinated with a number of hosts and network providers to install network-wide blocks to mitigate the impact of this vulnerability, but the only sure fix is updating the plugin.

Sites that can receive automatic background updates may already have the updated version of Jetpack. All others will be prompted to update manually.

The Jetpack team has prepared point releases for all 11 previous versions that are vulnerable to this threat. They will be reaching out to admins of sites that are still running the old versions to make them aware of the critical update. Sites that do not update will not be allowed to reconnect to the Jetpack service.

If you operate a WordPress site running Jetpack or have client sites using the plugin, you will need to take action immediately, especially if your site’s functionality depends heavily on the Jetpack service.


8 responses to “Breaking: Jetpack Releases Critical Security Update, Immediate Action Required”

  1. The post ( ) says clearly that this update was rolled out via “core auto update functionality” – where possible. So it updated automatically in the background, just like for core with 3.8.2!

    I just got this confirmed via Twitter conversation with other WP developers.


    Only little “issue”: the info about that was maybe a bit late, updates were already rolling out and sites were automatically updated before webmasters/ maintainers got know what was going on.

    However, in the end, it’s great to see, another security issue got fixed very fast!

    I, personally, love the auto background updates. I had no problems since 3.7 — on a bout 100 installs. So props to @Nacin & the whole team for all this work!!!

    • That seems correct. The auto-updates should be able to roll out faster than anyone can find/read a blog post on the topic.

      I’ve been using auto-updates on plugins and themes since before it was in core, via that plugin (which I can’t remember the name of right now). It’s awesome and allows me to be super lazy when it comes to updates :)

  2. SOOOOOOOOOOOOOOOOOOOOOOOOOOOO many times when I do a jetpack update. the .maintenance file DOES NOT get deleted.

    This is specially annoying when you have 8 of your own sites, plus A LOT of corporate/client sites.

    PLEASE fix that?

    solution I do: login via ftp and delete .maintenance file.

  3. The issue is that users will only see a text referring to maintenance, so users have no access to actual site content as long as .maintenance file exists. I do the same as Miroslav…

    • The way WordPress actually handles that .maintenance file should prevent that from being an actual issue for very long.

      What WordPress does is to put PHP code into that file. It writes it to contain a single variable, named $upgrading, and it sets that variable to a time value of when the file was created.

      Later, when WordPress checks for the existence of the file, it actually includes the file, thus loading that variable. It then checks to see if the time in the $upgrading variable is more than 10 minutes old. If it is older than 10 minutes, then it ignores the file and continues on as per normal.

      So even if the file is left behind for whatever reason, it doesn’t stop the site from displaying for more than 10 minutes, max.

  4. Hello…I am not a superpro like most of the people who post here, Call me a newb..Anyway, is this a WordPress update or a Jetpack update? The only update button I see is for WP and that is telling me a bout new themes..When I look at Jetpack, I see all kinds of cool things, but no Update button. Can someone hold my hand and help me across the street? THANKS!


Subscribe Via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

%d bloggers like this: