Vulnerability Management, Patch/Configuration Management, Privacy

Jetpack patches critical bug that exposed data on 27M WordPress sites

Share
WordPress app logo on the screen smartphone with notebook closeup. WordPress - open source site content management system.

Jetpack released a patch for a critical vulnerability that could let malicious users submit a specially crafted request to the WordPress server to then disclose data submitted by other users — a flaw that left sensitive personal information potentially exposed on 27 million websites.

Owned by Automattic, the company behind WordPress, the Jetpack plug-in offers many core widgets used by businesses. For example, if a company wants its users to upload an avatar or headshot, Jetpack’s Gravatar feature makes displaying them standard. Jetpack Stats also lets website operators gather statistics on page views and traffic patterns, as well as manage subscriptions.

In an updated Oct. 15 blog post, Jetpack Mechanic Jeremy Herve said in releasing Jetpack 13.9.1, they have found no evidence that the bug has been exploited in the wild.

However, Herve said the vulnerability to its Contact Form feature the company found during an internal security audit dates back to Jetpack version 3.9.9, released in 2016. In the blog post, Jetpack included a list of the 101 versions they’ve updated.

“If your site is running any of these versions, your website is not vulnerable to this issue anymore,” wrote Herve. “It has been automatically updated to a secure version.”

This was the second time in the past year that Jetpack fixed a long-standing bug. In May 2023, Jetpack released an automatic update in version 12.1.1 to address a critical flaw in a plug-in version released in 2012.

Mayuresh Dani, manager, security research, at the Qualys Threat Research Unit, explained that the vulnerability — which does not have a CVE yet — allows unauthorized access to user submitted data to other authenticated users. An authenticated remote attacker could view sensitive information added by other platform users using the vulnerability, Dani said.

“By nature, the contact form asks for personally identifiable information such as such as phone numbers and email addresses, so for active WordPress installations this translates to a huge amount of PII,” said Dani. “Fortunately, while this feature is enabled by default, it can also be disabled. Teams should evaluate if this feature is being actively used or not and then disable it accordingly, especially if the plug-in cannot be updated.”

"WordPress and many hosting providers tend to do a fairly good job of allowing plug-ins to be automatically updated,” said Evan Dornbush, a former NSA cybersecurity expert. 

“However, if you maintain a site where plug-ins are not updated, and your site's visitors utilize accounts, patching is probably something you want to look into lest user data be disclosed,” said Dornbush.