Jetpack 2.9.3: Critical Security Update

Derek Springer:

Public Service Announcement: please update your Jetpack!

Originally posted on Jetpack for WordPress:

Jetpack version 2.9.3 contains a critical security update, and you should update your site and any you help manage as soon as possible.  You can update through your dashboard, or download Jetpack manually here .

During an internal security audit, we found a bug that allows an attacker to bypass a site’s access controls and publish posts. This vulnerability could be combined with other attacks to escalate access. This bug has existed since Jetpack 1.9, released in October 2012.

Fortunately, we have no evidence of this being used in the wild. However, now that this update is public, it’s just a matter of time before exploits occur. To avoid a breach, you should update your site as soon as possible. (The vulnerability has been disclosed on the MITRE Common Vulnerabilities and Exposures system as CVE-2014-0173.)

This is a bad bug, and Jetpack is one of the most widely used plugins…

View original 251 more words