It’s been a busy week… On the heels of a WordPress security update and the Heartbleed bug, Jetpack has reported discovering a vulnerability in the WordPress plugin and has issued a critical security update.
What does this mean to you?
Well, nothing – if you don’t have the Jetpack plugin installed on your WordPress website.
If you do have Jetpack installed, you just need to update it. Nothing more or less, no big deal.
From the Jetpack Blog, in their words:
During an internal security audit, we found a bug that allows an attacker to bypass a site’s access controls and publish posts. This vulnerability could be combined with other attacks to escalate access. This bug has existed since Jetpack 1.9, released in October 2012.
Fortunately, we have no evidence of this being used in the wild. However, now that this update is public, it’s just a matter of time before exploits occur. To avoid a breach, you should update your site as soon as possible. (The vulnerability has been disclosed on the MITRE Common Vulnerabilities and Exposures system as CVE-2014-0173.)
In English, the problem has been around for a while, no one found it or took advantage of it. At least there’s no evidence of exploitation. Thankfully. Now that it’s receiving significant PR, rest assured those pesky people may just try.
That’s why you may receive an email from your host to upgrade the plugin. They’re trying to protect themselves (and you, their customer).
Log into your WordPress admin panel and update your Jetpack plugin if you haven’t already.