WordPress Force Installs Jetpack Security Update on 5 Million Sites
upstart writes in with an IRC submission:
WordPress force installs Jetpack security update on 5 million sites:
Jetpack is a remarkably popular WordPress plug-in that provides free security, performance, and website management features, including brute-force attack protection, site backups, secure logins, and malware scanning.
The plugin has more than 5 million active installations, and it is developed and maintained by Automattic, the company behind WordPress.
[...] The vulnerability was found in the Carousel feature and its option to display comments for each image, with nguyenhg_vcs being the one credited for responsibly disclosing the security bug.
No other details are available regarding this security flaw to protect the sites that haven't yet been updated. However, we do know that Automattic addressed it with added authorization logic.
The announcement made by Automattic says the bug impacts all versions starting with the Jetpack 2.0 release and going back to November 2012.
The Jetpack development team added that it found no evidence that the vulnerability has been exploited in the wild.
"However, now that the update has been released, it is only a matter of time before someone tries to take advantage of this vulnerability," the developers warn.
Read more of this story at SoylentNews.