Jetpack Security Flaw

Jetpack is a plugin suite that combines essential WordPress features into one large plugin. It provides free security, performance, marketing, and website management features.

With Jetpack, you can: Get a safer, stronger site via secure logins and protection from brute force attacks. The plugin has over 5 million active installations, and it is developed and maintained by Automattic, the company behind WordPress.


Automattic force deploys a security update on over five million websites running vulnerable Jetpack versions.

Security Update for all Sites using the Carousel Feature

A security flaw stems from the Carousel feature and its option to display comments for each image. With the Carousel feature active, any standard WordPress galleries you have embedded in posts or pages will launch a gorgeous full-screen photo browsing experience with comments and EXIF metadata.

“There is no evidence that this vulnerability has been exploited in the wild. Nevertheless, at present the update has been released, it is only a matter of time before someone tries to take advantage of this vulnerability”, says Jetpack Development Team.

The statement made by Automattic says “the bug impacts all versions starting with the Jetpack 2.0 release and going back to November 2012”.

It is recommended to update your version of Jetpack as soon as possible. Patched versions of every version of Jetpack since 2.0 has been released. Most websites have been or will soon be automatically updated to a secured version.

Versions released include: 2.0.8, 2.1.6, 2.2.9, 2.3.9, 2.4.6, 2.5.4, 2.6.5, 2.7.4, 2.8.4, 2.9.5, 3.0.5, 3.1.4, 3.2.4, 3.3.5, 3.4.5, 3.5.5, 3.6.3, 3.7.4, 3.8.4, 3.9.8, 4.0.5, 4.1.2, 4.2.3, 4.3.3, 4.4.3, 4.5.1, 4.6.1, 4.7.2, 4.8.3, 4.9.1, 5.0.1, 5.1.2, 5.2.3, 5.3.2, 5.4.2, 5.5.3, 5.6.3, 5.7.3, 5.8.2, 5.9.2, 6.0.2, 6.1.3, 6.2.3, 6.3.5, 6.4.4, 6.5.2, 6.6.3, 6.7.2, 6.8.3, 6.9.2, 7.0.3, 7.1.3, 7.2.3, 7.3.3, 7.4.3, 7.5.5, 7.6.2, 7.7.4, 7.8.2, 7.9.2, 8.0.1, 8.1.2, 8.2.4, 8.3.1, 8.4.3, 8.5.1, 8.6.2, 8.7.2, 8.8.3, 8.9.2, 9.0.3, 9.1.1, 9.2.2, 9.3.3, 9.4.2, 9.5.3, 9.6.2, 9.7.1.

If you are running any of these versions, your website is not vulnerable to this issue.

Jetpack Patch

With most sites already having been updated, Automattic is force installing patched versions on all websites running vulnerable Jetpack versions.

Through Jetpack 9.8, it is made easier to engage the audience via WordPress Stories by bringing the Story Block to the web block editor. Backend changes are also made on the Carousel feature that improves the page performance.

Also Read

XSS Flaw Impacting 100,000 WordPress Sites – Update Now!!

Critical Bugs In Two WordPress Plugin Let Hackers Gain Access To 1 Million Sites

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.