A critical vulnerability has been identified in the Jetpack plugin, widely used on over 27 million WordPress websites. The flaw, discovered during an internal security audit, resides in the Contact Form feature, allowing logged-in users to access forms submitted by other visitors. The issue has existed since Jetpack version 3.9.9, released in 2016, and has now been patched across 101 different versions. While no exploitation has been observed in the wild, the public disclosure increases the risk of future abuse.
Vulnerability Details:
- Plugin: Jetpack by Automattic
- Affected Versions: Jetpack 3.9.9 (2016) to 13.9.0
- Patched Versions: 13.9.1, and multiple prior versions (detailed below)
- Discovery Date: Internal security audit, October 2024
- Public Disclosure Date: October 15, 2024
- Vulnerability Type: Unauthorized Data Access
- Attack Vector: Logged-in users can access data (contact form submissions) submitted by other users.
- Impact: Compromised confidentiality of form submissions on WordPress sites.
- Exploitation Evidence: None reported as of this writing.
Impacted Component:
The vulnerability exists within Jetpack’s Contact Form feature, which is used to collect visitor input on a website. Any logged-in user, regardless of role, could exploit this flaw to read private submissions.
Risk:
This vulnerability potentially exposes sensitive data submitted through contact forms, such as personal identifiers, email addresses, and other private communications. The flaw affects a large number of sites, significantly expanding the risk landscape.
Mitigation:
The Jetpack team worked closely with the WordPress.org Security Team to implement an automatic update process, ensuring most sites are patched. The issue has been fixed in 101 different versions of Jetpack, including the latest stable release (13.9.1). Users are advised to ensure that their Jetpack plugin is automatically updated or manually updated to a secure version.
Patched Versions:
- Latest Patch Version: 13.9.1
- Other Patched Versions:
- 13.8.2, 13.7.1, 13.6.1, 13.5.1, 13.4.4, 13.3.2, 13.2.3, and many more (full list available).
Recommendations:
- Update Immediately: Ensure all websites running Jetpack update to version 13.9.1 or any of the previously patched versions.
- Audit Access Permissions: Review and restrict user roles with access to sensitive data, minimizing the risk of internal threats.
- Monitor for Exploitation: While no exploitation has been observed, administrators should monitor their logs for unusual activity involving contact form data.
- Disable Contact Form Feature (if necessary): If immediate updating isn’t possible, consider temporarily disabling the Contact Form feature.
Historical Context:
Jetpack experienced a similar incident in June 2023, where a critical flaw dating back to 2012 was discovered and patched. The repeated discovery of long-standing issues in widely used plugins like Jetpack highlights the importance of continuous auditing and timely updates.
Ongoing Disputes:
The vulnerability was disclosed against a backdrop of ongoing tensions between WordPress and WP Engine, specifically regarding the Advanced Custom Fields (ACF) plugin. WordPress took over the plugin, forking it to create Secure Custom Fields (SCF) after WP Engine failed to address security concerns. These disputes raise broader questions about plugin security and governance within the WordPress ecosystem.
Conclusion:
Given the massive user base of Jetpack, the discovery of this vulnerability underscores the importance of prompt patching and regular security audits. All affected sites should update to the latest version to mitigate potential data exposure risks. Continuous monitoring and access control policies will further reduce the risk of exploitation.
