Jetpack

Jetpack 2.9.3: Critical Security Update

Jetpack version 2.9.3 contains a critical security update, and you should update your site and any you help manage as soon as possible. You can update through your dashboard, or download Jetpack manually here.

During an internal security audit, we found a bug that allows an attacker to bypass a site’s access controls and publish posts. This vulnerability could be combined with other attacks to escalate access. This bug has existed since Jetpack 1.9, released in October 2012.

Fortunately, we have no evidence of this being used in the wild. However, now that this update is public, it’s just a matter of time before exploits occur. To avoid a breach, you should update your site as soon as possible. (The vulnerability has been disclosed on the MITRE Common Vulnerabilities and Exposures system as CVE-2014-0173.)

This is a bad bug, and Jetpack is one of the most widely used plugins in the WordPress world. We have been working closely with the WordPress security team, which has pushed updates to every version of the plugin since 1.9 through core’s auto-update system. We have also coordinated with a number of hosts and network providers to install network-wide blocks to mitigate the impact of this vulnerability, but the only sure fix is updating the plugin.

Over the next few hours, we will reach out to individuals whose sites are still running an insecure version. Sites that don’t update may be disconnected from the Jetpack service for their own security, and will be able to reconnect as soon as their version of Jetpack is updated.

If you host a large number of Jetpack-powered blogs, please leave your contact information in the comments so we can be in touch in the future. We have prepared and shipped point releases for all eleven vulnerable branches of the Jetpack codebase: 1.9.42.0.6, 2.1.4, 2.2.7, 2.3.7, 2.4.4, 2.5.2, 2.6.3, 2.7.2, 2.8.2, and 2.9.3. If you can force these upgrades for your hosted users, it will prevent their sites from being compromised.

Finding and fixing bugs is a key part of software development. I can’t promise there will never be another issue like this, but I can promise that when a problem is found we will do everything in our power to protect as many people as possible, as quickly as possible. We care deeply about each and every WordPress user.

This entry was posted in Releases and tagged , . Bookmark the permalink.

92 Responses to Jetpack 2.9.3: Critical Security Update

  1. Chris Lauzon says:

    Reblogged this on Portal of Delusion and commented:

    Upgrade your Jetpack !

  2. Thanks for all your hard work! I’ve shared this with my network and I am updating numerous sites now…

    Definitely appreciate the work you all do.

  3. mordauk says:

    Thank you for being proactive and doing your very best to protect affected sites.

  4. There’s no option showing for updating Jetpack on my website.

    DO I download it and install it new?

    • What version does WordPress say that you are running? You may have been automatically updated already.

      • cpkochjr says:

        from the paragraph above there is a very real implication that 2.9.3 is vulnerable as well. This is a souce of confusion … at least for me.

        Read it! Think about it ! Tell us what you think!
        ————————————————————————————————————-
        If you host a large number of Jetpack-powered blogs, please leave your contact information in the comments so we can be in touch in the future. We have prepared and shipped point releases for all eleven vulnerable branches of the Jetpack codebase: 1.9.4, 2.0.6, 2.1.4, 2.2.7, 2.3.7, 2.4.4, 2.5.2, 2.6.3, 2.7.2, 2.8.2, and 2.9.3. If you can force these upgrades for your hosted users, it will prevent their sites from being compromised.
        ——————————————————————————————————-

      • 2.9.3 is secure.

        When listing them, the eleven listed versions are the point releases that were shipped.

      • My website is not automatically updated, it is still showing jetpack 2.9.2 but there is no option to update the plugin. Can u plz look into this? I dont want to lose my jetpack settings.

      • Jeremy says:

        Could you try to update the plugin manually, by following the instructions here? If you experience issues, send us an email!

    • Hesham says:

      You can simple do a manual update if you are not sure. I would deactivate and delete the old version, then install the latest version (which includes the update) from the Jectpack site or WordPress.org.

    • rogerpacker says:

      You need to go to Plugins/Installed Plugins. Scroll down to see your Jetpack installation. On the right at the bottom you should see what version you are running. If this is not 2.9.3 (the latest version) then you’ll see a notification below saying, “There is a new version of Jetpack..” and giving a link on the right of that to Update now. Just click on this and you’ll be updated to 2.9.3.
      You can’t update from the Jetpack link at the top of the dashboard where you set up your modules, which is probably causing the confusion. You have to update from Plugins/Installed Plugins/Jetpack.
      Hope this helps.

  5. suzanneshugar says:

    Hi there,

    I am confused. I went to my site and do not see a security update for Jetpack.

    Where should I look?

    • Ryan Cowles says:

      Hi there! What version of Jetpack does WordPress say that you are running? You may have been automatically updated already. You can find more info and step-by-step instructions here. And if you need any help, just let us know!

      • Ryan, Thank you for explaining that to suzanneshugar…. I was also very concerned and unable to feel confident with the information presented. A graphic is always good….thanks again..

      • Ryan Cowles says:

        You’re welcome! I definitely understand your concern, but as long as you update to the patched version you will be fine :) Don’t hesitate to let us know if you have any questions!

    • Just look on plugin page which version you have. If it’s 2.9.3, then it’s already updated.

  6. I can’t remember upgrading either, but on 90% of my sites Jetpack is up to date. I’m guessing my hosting company took care of that.

  7. eltaino says:

    My site is running Jetpack 2.9.3, however this notice above say ”Jetpack version 2.9.3 contains a critical security update,” Clicking to download the new .zip file says 2.9.3 so what’s the difference between the one already running on the site and this new one? I’m not being prompted to upgrade in my dashboard either. What am I missing?

  8. mhrubak says:

    Thanks for all the hard work and email notification, JetPack team! Updating my site right now…

  9. danw3108 says:

    As a software/web developer myself, and with the recent heartbleed vulnerability causing mass-hysteria, most of us know and understand that security issues can be found in any software at any time.

    What I must admire, is the exceptional way in which the Jetpack and WordPress teams have handled this situation. It’s great to see that such dedication goes into the security of a product, and that the end users are kept so well informed!

    IMHO, This makes a perfect case-study on handing security vulnerabilities “the right way”.

    We passed on the level of customer care that you give us to our own customers, rolling out the update on both our own WordPress networks (containing a total of 21 sites) and our numerous client’s standalone sites as quickly as physically possible.

    Great work guys,
    Keep it up!

  10. F***ing awesome response guys. As a dev I respect your admission and admire your quickness to respond when you found out about it. Well handled. Very happy.

  11. I received an email that security vulnerability with the version of Jetpack active on my site. I actually cannot see it anymore on my site, but if I try to upload a new version of Jetpack: 2.9.3,it tells me that it’s already installed. It’s not in my plug in or on my dashboard. Help!

  12. Tarun says:

    I dont see an option for auto update im currently on Version 2.3.5 what should i do ?

  13. dorjemedia says:

    Do I need to first uninstall my current version of Jetpack 2.2.5, and then install a clean version of 2.9.3? I don’t see any other way. I see no prompts for an update to Jetpack whatsoever.

    Having to completely uninstall it and then install a clean version runs counter to how I understand WordPress plugins are supposed to work. Am I missing something?

    When I go to upload the latest version that I downloaded via Jetpack’s notification emails for all my sites, it won’t install because it won’t overwrite the existing Jetpack directory on the server.

    Thoughts?

    Thanks for the fast notification. Wish the upgrade was a little cleaner, though.

    • If you have FTP access, you can just overwrite the old plugin with the new that way. Alternately, deleting and reinstalling an up to date version will work, but you may need to enable/disable a few modules if the preferences get affected.

  14. Tis the season for updates I guess – makes one’s heart bleed :)

    @Buffered to all my networks….

  15. bloveds says:

    The download is for the same version. Where is the correct one?

  16. Motwera says:

    Wait, does this mean only Jetpack-used plugins are unaffected after updating? (already did)
    or is it sitewide?

  17. ahcjlive says:

    I’m on 2.0.2. Why am I not able to auto-update? What am I going to lose doing a manual update?

    • What version of WordPress are you on? You may need to update core first, to have the updater run as expected. We’ve just made a change for the older security releases, so you may be able to update them as-is — but we would still strongly encourage you to update core to current.

      • ahcjlive says:

        3.6.1, and updating core is non-trivial in this case.

        I’ve removed the 2.0.2 plugins/jetpack and replaced it with 2.0.6. I did not deactivate first, the plugin says it is now 2.0.6, and I was not asked to reconnect with wordpress.com. Am I good for now? Anything missed?

      • Nope, you’re good.

  18. Christopher says:

    Haha I didn’t check if my Jetpack was automatically updated before manually downloading the update and manually updating. Thanks to Jetpack I was in panic mode, thanks alot :-)

  19. bartaisys says:

    Hi George,

    The wording of this update notice is a bit confusing. It sez there are eleven vulnerable branches, then goes on to list them with v2.9.3 in the vulnerable group.

    Then elsewhere in your comments you state that 2.9.3 is OK and NOT vulnerable. So perhaps there are only 10 vulnerable branches, or is there a 2.9.3.x un-shown version update.

    Perhaps to save support time and traffic the notice could be rewritten to clarify the above.

    Also, if it is a hidden 2.9.3.x update, is there a way (certain file version or date stamp) that would reveal the situation.

    And, how does all this fit in with the new WP policy of doing back end security updates without user intervention.

    thanks for the catch and quick posting to hosts…. great work!

    bc

  20. michellerajotte says:

    I’m trying to update our WrodPress site, but when the update starts it takes me to Connection Info page and says my credentials are wrong for my FTP (which is correct, I recently changed the password). However, I am unable to make any edits to the password text box on the screen. Is there another place in WordPress I can update Jetpack with my new log in credentials?

    • Can you log into your web server via a FTP client such as Filezilla to update that way?

      • michellerajotte says:

        If I understood any of the words in your reply, I would do that. =] Sadly, I use WordPress because I am not Web site literate. Is Filezilla something I can download as well?

      • Can you send in a support request via jetpack.me/contact-support and one of our awesome Happiness Engineers will help you out? In the mean time, please deactivate Jetpack to keep your install secure.

      • michellerajotte says:

        Will do! I look forward to working with a Happiness Engineer. =]

  21. Updated. No worries now?

  22. Adri says:

    I’m really confused. I received emails from Jetpack letting me know to update through the dashboard of my sites that has the plugin on, but when I went, I don’t see an option/prompt for me to upgrade. All of my sites have 2.9.3 version when I checked them. So, from my understanding with the emails/messages, 2.9.3 has a major bug and I have to update (re-update?) it to the same version?

    Please clarify, thanks!

  23. Hey, I got this message when updating the plugin…
    “Updating Plugin Jetpack by WordPress.com (2/2)
    Downloading update from https://downloads.wordpress.org/plugin/jetpack.2.7.2.zip…
    Unpacking the update…
    An error occurred while updating Jetpack by WordPress.com: Could not copy file. jetpack/_inc/images/footer-clouds-2x.png”

    Please advice, thanks

  24. Naq says:

    Hey everyone,

    when i try to update jetpack through my dashboard then it comes us as “download failed. couldn’t connect to host”

    anyone got any ideas on how to get it updated?

    any help will be much appreciated.

  25. Hesham says:

    Thank you guys, I’ve got a notification from BlueHost about this update, and they’ve told me they are working to update all sites on their servers, so sweet!

  26. napdhal says:

    Automatic update of plugin mixed up things. I had to uninstall the plugin and delete all files from file manager. Dont know what happened actually! It was giving error on line 85/86

  27. rogerjg says:

    Hello, Just so I am clear on what you are saying here, Am I correct in thinking that as long as the Jetpack I am running is 2.9.3 that is safe and anything other than 2.9.3 needs to be updated. Should there be an update on the WordPress sites that do not have Jetpack 2.9.3?

    • Jeremy says:

      If you use Jetpack 2.9.3, you’re indeed safe.

      If you run an old version of the plugin, you’ll need to update to 2.9.3, or to a patched version of your current Jetpack plugin. We’ve provided links to each point release for all eleven vulnerable branches of Jetpack in the article.

  28. If Jetpack is already deactivated, is there a need to update?

  29. Does this apply to Slim Jetpack as well?

    • Jeremy says:

      You’ll need to get in touch with the Slim Jetpack plugin authors to make sure.

      Another alternative would be to use Jetpack’s development mode instead of this third-party plugin. The dev mode allows you to use Jetpack without connecting your site to a WordPress.com account. You can read more about it here:

      http://jetpack.me/support/development-mode/

  30. cybermitzi says:

    George: Thank you. I have updated my websites. I have just recently had my computer debugged so I’m hoping that the problem was found.

  31. omega57 says:

    I just hit update so hope all is fine.

  32. Pat says:

    Just finished updating and changing a few settings. So… no more worries now?

    • Jeremy says:

      If you’ve updated to one of the patched versions, the vulnerability is now fixed on your site. No more worries there!

  33. peppedantini says:

    Something strange happened to me.
    My site has WP 3.8.2 with jetpack 3.9.2. Since 10/04 the site stopped responding; in the error log I found this:

    PHP Fatal error: require_once() [function.require]:
    Failed opening required ‘…/wp-content/plugins/jetpack/class.jetpack.php’
    (include_path=’.:/usr/lib/php:/usr/local/lib/php’) in …/wp-content/plugins/jetpack/jetpack.php on line 37

    Looking in the folder “…/wp-content/plugins/jetpack/” I’ve found just a few files of those needed (comparing it to the zip file downloaded from here). All the files are dated “10/04/2014 23.44″, but nobody worked on the site last days. In the folder there is the “readme.txt”: opened, it contains referencing to the version 3.9.3 of jetpack.
    It seems like someone (who? automatically?) tried to update the jetpack without completing the work.
    What’s happened?
    How can I see if the jetpack’s options stored in the db were modified?
    Can I FTP upload the entire folder “jetpack” (3.9.2 or 3.9.3?) to revive the site?
    Do I lost the options doing that?
    Thanks

    • Jeremy says:

      It seems the automatic update failed on your site. Could you try to update manually, as explained here:

      http://jetpack.me/support/how-to-install-the-security-update/#download

      You won’t lose any of your Jetpack options in the process.

      If you experience more issues with the update, do not hesitate to send us an email!

      http://jetpack.me/contact-support/

      • peppedantini says:

        “automatic update”?
        Does jetpack has an automatic update service?

        However, I just uploaded the jetpack 3.9.3 via FTP, and all seems to be good: the site’s running and the options are safe.

      • As noted above,

        We have been working closely with the WordPress security team, which has pushed updates to every version of the plugin since 1.9 through core’s auto-update system. We have also coordinated with a number of hosts and network providers to install network-wide blocks to mitigate the impact of this vulnerability, but the only sure fix is updating the plugin.

        We (the Jetpack team) didn’t actually push the auto-update, we put the update together and worked with some WordPress core developers who selected to auto-update WordPress sites that would accept it.

  34. hello,
    I am running wordpress 3.8.2. I have the plugin “Jetpack by WordPress.com” Version 2.5 and it doesn’t tell me to update anything, how comes? Do I have to find a way to do it manually?? Thanks.

  35. Teuku Ajie says:

    Hey there I’m having a problem, my jetpack can’t be updated, since its failed to be updated I can’t find anymore my jetpack on the dashboard, when I’m trying the new installation, it was said destination folder already exist, plugin instal failed! Can someone help me?

    • Could you please contact one of our Happiness Engineers with your current WordPress version, plugin version, and whether you have FTP access handy via jetpack.me/contact-support? They’d be delighted to walk you through it.

  36. Pat says:

    Hi, I’m getting this error on one of my sites: “An error occurred while updating Jetpack by WordPress.com: Could not copy file. jetpack/_inc/images/footer-clouds-2x.png”

    Any advice? Thanks!

  37. I wasn’t running jetpack – but my site was hacked as described in this post here in the past week.

    • This applies only to sites that are running Jetpack. If you were hacked within the past week, but aren’t using Jetpack, then you must have another security hole somewhere else within your infrastructure.

  38. vwrafi says:

    I have a 3.5.1 WordPress. What is the highest version number of JetPack that I can install on my WordPress 3.5.1 ? At the moment I have got JetPack 2.2.7. How high I can go without updating WordPress ?

  39. Eclectablog says:

    Why were Site Stats eliminated? I really liked that feature in Jetpack and was surprised to see it eliminated with no warning or mention.

    • The WordPress.com Stats module has not been eliminated.

      • Eclectablog says:

        Well, it completely disappeared from my site when I upgraded. No module on the Jetpack page in my dashboard, no chart at the top of the page when I’m logged in, and when I go to my stats via my bookmark, I get “You do not have sufficient permissions to access this page.” I’m not the only person with this problem, judging by some of the other forums I’ve been commenting on.

      • Could you please contact support via jetpack.me/contact-support/ ? It certainly should be showing, unless you have some other non-Jetpack code active that is intentionally disabling it.

      • My other thought is that perhaps your installation got a bit goofed with the upgrade — the zip didn’t fully unpack — so if you try reinstalling via FTP, it may show up again.

    • Eclectablog says:

      Turns out the issue is a conflict with the Subscribe2 widget. When I deactivate that, the Site Stats come back. I’ll have to wait until the Subscribe2 widget author resolves the problem in order to see site stats again.

  40. galverito86 says:

    thanks!

Follow

Get every new post delivered to your Inbox.

Join 63,569 other followers