The maintainers of the Jetpack WordPress plugin have released a security update to remediate a critical vulnerability that could allow logged-in users to access forms submitted by others on a site.
Jetpack, owned by WordPress maker Automattic, is an all-in-one plugin that offers a comprehensive suite of tools to improve site safety, performance, and traffic growth. It’s used on 27 million WordPress sites, according to its website.
The issue is said to have been identified by Jetpack during an internal security audit and has persisted since version 3.9.9, released in 2016.
The vulnerability resides in the Contact Form feature in Jetpack, and “could be used by any logged in users on a site to read forms submitted by visitors on the site,” Jetpack’s Jeremy Herve said.
Jetpack said it’s worked closely with the WordPress.org Security Team to automatically update the plugin to a safe version on installed sites.
The shortcoming has been addressed in the following 101 different versions of Jetpack –
13.9.1, 13.8.2, 13.7.1, 13.6.1, 13.5.1, 13.4.4, 13.3.2, 13.2.3, 13.1.4, 13.0.1, 12.9.4, 12.8.2, 12.7.2, 12.6.3, 12.5.1, 12.4.1, 12.3.1, 12.2.2, 12.1.2, 12.0.2, 11.9.3, 11.8.6, 11.7.3, 11.6.2, 11.5.3, 11.4.2, 11.3.4, 11.2.2, 11.1.4, 11.0.2, 10.9.3, 10.8.2, 10.7.2, 10.6.2, 10.5.3, 10.4.2, 10.3.2, 10.2.3, 10.1.2, 10.0.2, 9.9.3, 9.8.3, 9.7.3, 9.6.4, 9.5.5, 9.4.4, 9.3.5, 9.2.4, 9.1.3, 9.0.5, 8.9.4, 8.8.5, 8.7.4, 8.6.4, 8.5.3, 8.4.5, 8.3.3, 8.2.6, 8.1.4, 8.0.3, 7.9.4, 7.8.4, 7.7.6, 7.6.4, 7.5.7, 7.4.5, 7.3.5, 7.2.5, 7.1.5, 7.0.5, 6.9.4, 6.8.5, 6.7.4, 6.6.5, 6.5.4, 6.4.6, 6.3.7, 6.2.5, 6.1.5, 6.0.4, 5.9.4, 5.8.4, 5.7.5, 5.6.5, 5.5.5, 5.4.4, 5.3.4, 5.2.5, 5.1.4, 5.0.3, 4.9.3, 4.8.5, 4.7.4, 4.6.3, 4.5.3, 4.4.5, 4.3.5, 4.2.5, 4.1.4, 4.0.7, 3.9.10
While there is no evidence that the vulnerability has ever been exploited in the wild, there is a likelihood that it could be abused going forward in light of public disclosure.
It’s worth noting that Jetpack rolled out similar fixes for another critical flaw in the Jetpack plugin in June 2023 that had been existing since November 2012.
The development comes amid an ongoing dispute between WordPress founder Matt Mullenweg and hosting provider WP Engine, with WordPress.org taking control of the latter’s Advanced Custom Fields (ACF) plugin to create its own fork called Secure Custom Fields.
“SCF has been updated to remove commercial upsells and fix a security problem,” Mullenweg said. “This update is as minimal as possible to fix the security issue.”
WordPress did not disclose the exact nature of the security problem, but said it has to do with $_REQUEST. It further said the issue has been addressed in version 6.3.6.2 of Secure Custom Fields.
“Their code is currently insecure, and it is a dereliction of their duty to customers for them to tell people to avoid Secure Custom Fields until they fix their vulnerability,” WordPress noted. “We have also notified them of this privately, but they did not respond.”
WP Engine, in a post on X, claimed WordPress has never “unilaterally and forcibly” taken an actively developed plugin “from its creator without consent.”
In response, WordPress said “this has happened several times before,” and that it reserves the right to disable or remove any plugin from the directory, remove developer access to a plugin, or change it “without developer consent” in the interest of public safety.