Jetpack, a popular WordPress plugin, has rolled out a critical security update to address a vulnerability that could potentially allow logged-in users to access forms submitted by other site visitors.
The vulnerability was discovered during an internal security audit and has been present since version 3.9.9, which was released in 2016. According to Jetpack’s security bulletin, “This flaw could be exploited by any logged-in user to view forms submitted by site visitors.”
Automattic has already issued patches for 101 affected versions of the plugin, with versions ranging from 3.9.10 to 13.9.1. Website owners should ensure their Jetpack plugin has automatically updated to one of these patched versions, or manually update it if necessary.
While there is no evidence that the vulnerability has been exploited in the past eight years, Jetpack strongly urges users to update as soon as possible to prevent potential attacks now that the vulnerability has been disclosed. There are no alternative solutions or workarounds, so applying the patch is the only recommended fix.
