11 Apr

2014

Jetpack Critical Vulnerability Fixed on SiteGround Servers

jetpack

Yesterday, on April 10th, a critical security flaw in the popular Jetpack plugin was made public in an official statement by the Jetpack developers. If the vulnerability was exploited, an attacker could publish new posts in any WordPress installation using Jetpack and possibly get even more access to that site. Although we did not detect any hacked sites through that exploit on our servers, that was a critical security hole and we took several actions to patch it.

Adding a Rule to Our Firewall System

Normally, some of the actions of the Jetpack plugin should be executable only through a finite number of IPs that are part of the Jetpack official network. The vulnerability allows other IPs to execute these actions too. That is why the first thing we did was to add an additional rule to our firewall that prevents non-Jetpack IPs to execute such actions.

Updating the Jetpack Plugin of Our Users

We have also updated most of the nearly 12 000 Jetpack plugins detected on our servers to the latest security version released by its developers and applicable for the version branch used. Email, informing about the issue and the update needed was also sent to all users whose Jetpack update was not under our control.

Author: Hristo Pandjarov

Product Development - Technical

Enthusiastic about all Open Source applications you can think of, but mostly about Joomla and WordPress. Add a pinch of love for web design, new technologies, search engine optimisation and you are pretty much there!