Jetpack version 2.9.3 contains a critical security update, and you should update your site and any you help manage as soon as possible. You can update through your dashboard, or download Jetpack manually here.
We realize that you may have questions. In this document, we cover:
- What is this security update?
- Why did I receive an email to upgrade Jetpack when I already upgraded?
- Why wasn’t I prompted to upgrade Jetpack?
- How do I know if I have the update?
- How do I upgrade Jetpack?
- Can you tell me how to edit the files myself?
- Jetpack is installed but has not been activated. What should I do?
- Should I change my password(s)?
- I’m using a two-step password authenticator with my site. Does that protect me?
- How would I know if my site has been exploited?
- I use WordPress.com. Does this affect me?
- Is Jetpack safe to use?
- I still need some help!
What is this security update?
During an internal security audit, we found a bug that allows an attacker to bypass a site’s access controls and publish posts. This vulnerability could be combined with other attacks to escalate access. This bug has existed since Jetpack 1.9, released in October 2012.
Fortunately, we have no evidence of this being used in the wild. However, now that this update is public, it’s just a matter of time before exploits occur. To avoid a breach, you should update your site as soon as possible.
You can read more about this update on our blog post.
Please upgrade Jetpack by following these instructions.
Why did I receive an email to upgrade Jetpack when I already upgraded?
We sent out emails to the Administrator user that connected Jetpack to WordPress.com. The list was prepared shortly before we sent the emails based upon the list of sites that had not upgraded Jetpack at the time. However, we anticipated overlapping with users that may have upgraded in the time between when the list was prepared and when we sent out the emails.
Why wasn’t I prompted to upgrade Jetpack?
The WordPress Security Team sent out an auto-upgrade to users who had installed more recent versions of WordPress on their site that included the built-in automatic update function in WordPress. Thus, many sites were automatically upgraded to Jetpack 2.9.3. To verify if you were automatically upgraded, you can check the version number of Jetpack by going to Plugins → Installed Plugins and checking Jetpack to see if you’re on version 2.9.3. If so, you were most likely updated by the WordPress Security Team.
How do I know if I have the update?
Visit the Plugins → Installed Plugins tab of your site’s Dashboard and find the Jetpack plugin. If your plugin version matches one of the versions listed here, you’ve already been updated to a secure version.
If not, you can follow the instructions on this page to update your version of Jetpack.
How do I upgrade Jetpack?
If you are notified of an update to Jetpack via WordPress update notifications, please use the automatic updater to update your install of Jetpack to the most recent version.
If you need to manually update or are using an older version of Jetpack (version 2.8 or older) and cannot upgrade to 2.9.3, please visit this support document for instructions on manually updating Jetpack through your Dashboard or through FTP.
Can you tell me how to edit the files myself?
We strongly advise that you upgrade the plugin as we describe above. Jetpack 2.9.3 closes this security hold and includes a few smaller bug fixes.
If you’d prefer to continue using the version you currently have installed, there are updated versions of Jetpack for every major release back to version 1.9.2. You can find full instructions on updating your version here.
Jetpack is installed but has not been activated. What should I do?
As long as you haven’t connected to WordPress.com, you’re safe. If you plan on activating and connecting Jetpack to WordPress.com, you must upgrade to the latest version before activating the plugin. Jetpack will not allow insecure versions of the plugin to connect.
Should I change my password(s)?
This vulnerability does not affect or expose passwords. However, it’s always good practice to periodically change your login passwords.
You can use this support document to help you develop secure passwords for your WordPress site:
I’m using two-step password authentication with my site. Will I be affected?
Yes, you are still exposed. This vulnerability ignores all logins and two-factor authorizations to gain access to your site. You must upgrade your Jetpack plugin to the latest version to fix this.
How would I know if my site has been exploited?
The vulnerability allows an unauthorized user to gain escalated permissions, which they may be able to leverage in order to gain further access to your site. You might not know that your site has been affected until you’re locked out or notice changes you haven’t made, which is why upgrading to a secure version of Jetpack is so important.
I use WordPress.com. Does this affect me?
No, WordPress.com sites are not affected by this security issue. This issue only affects self-hosted WordPress sites using the Jetpack plugin.
Is Jetpack safe to use?
Yes, once you upgrade Jetpack to a secure version. This update addresses a severe security vulnerability that was recently discovered during an internal audit. You can read more about this vulnerability at the blog post linked to above.
Finding and fixing bugs is a key part of software development. We can’t promise there will never be another issue like this, but we can promise that when a problem is found we will do everything in our power to protect as many people as possible, as quickly as possible.
I still need some help!
If you still have questions, or need more help with the security update, please contact us.