Jetpack 3.9.6 Fixes Bug that Inserts Random Vimeo Videos into Comments

photo credit: Tek F - cc
photo credit: Tek Fcc

Jetpack 3.9.5 was released yesterday with compatibilities for the upcoming WordPress 4.5 release and a handful of enhancements/bug fixes. Shortly after issuing the routine maintenance update, the Jetpack team began receiving reports of random, unwanted videos being added to the comments of posts. Any number string in the comments was automatically converted into a Vimeo video.

No, this bug was not an April Fool’s Day prank, although it seemed like it. As a temporary fix, support representatives recommended that users deactivate the Shortcode Embeds module.

The Jetpack team scrambled to fix the rather humorous and annoying bug, which had been introduced while fixing another Vimeo bug. A few hours later they shipped 3.9.6 on the heels of the maintenance release. Users who updated to 3.9.5 right away will need to update again in order to avoid running into this bug.


9 responses to “Jetpack 3.9.6 Fixes Bug that Inserts Random Vimeo Videos into Comments”

  1. Well, as a website administrator I can tell you that it was a pretty scary bug – I thought we were being hacked!

    I’m glad that the issue was fixed so quickly. Only a few of my website readers experienced it.



    • Exactly my reaction, though it wasn’t my site that was affected; saw it appearing in the early morning and was already like “oh no, just wait for the customers to call in hourly, complaining about some hack *eyerolls*” ..

      .. thankfully, nearly none of my clients is using that piece of … work ;)

      cu, w0lf.

  2. Practically users somehow lost control over the content on their own websites. For me, it looks more vulnerable and dangerous than humoruous.

    • I don’t see anything wrong here, after all the jetpack team did communicate, which in the end is much more important than users retaining control of their content.

      (hmm even non tags that look like tags are being stripped, so will try it the shortcode syntax way)


    • Not really a “vulnerability”, as such. Mainly it shows that regular expressions are very, very powerful, and shockingly easy to get wrong. Sometimes in interesting, potentially amusing, ways.

      Test cases help, but they can only test things you have thought of before. :)

  3. Let’s call it an early April Fools? :)

    Sorry for any inconvenience we caused, and thanks to all of our awesome users for your patience while we got it fixed. Lots of credit goes to Automattic’s Dennis Snell, Elio Rivero, Brandon Kraft and Igor Zinoyev for coming up with a solid solution so quickly.


Subscribe Via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

%d bloggers like this: