Jetpack fixes 8-year-old flaw affecting millions of WordPress sites

#### [Security](/security/)**1** Jetpack fixes 8-year-old flaw affecting millions of WordPress sites===================================================================**1** Also, new EU cyber reporting rules are live, exploiters hit the gas pedal, free PDNS for UK schools, and more————————————————————————————————————-[Brandon Vigliarolo](/Author/Brandon-Vigliarolo ‘Read more by this author’) Fri 18 Oct 2024 // 22:30 UTC [](https://www.reddit.com/submit?url=https://www.theregister.com/2024/10/18/jetpack_patches_wordpress_vulnerability/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dreddit&title=Jetpack%20fixes%208-year-old%20flaw%20affecting%20millions%20of%20WordPress%20sites) [](https://twitter.com/intent/tweet?text=Jetpack%20fixes%208-year-old%20flaw%20affecting%20millions%20of%20WordPress%20sites&url=https://www.theregister.com/2024/10/18/jetpack_patches_wordpress_vulnerability/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dtwitter&via=theregister) [](https://www.facebook.com/dialog/feed?app_id=1404095453459035&display=popup&link=https://www.theregister.com/2024/10/18/jetpack_patches_wordpress_vulnerability/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dfacebook) [](https://www.linkedin.com/shareArticle?mini=true&url=https://www.theregister.com/2024/10/18/jetpack_patches_wordpress_vulnerability/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dlinkedin&title=Jetpack%20fixes%208-year-old%20flaw%20affecting%20millions%20of%20WordPress%20sites&summary=Also%2c%20new%20EU%20cyber%20reporting%20rules%20are%20live%2c%20exploiters%20hit%20the%20gas%20pedal%2c%20free%20PDNS%20for%20UK%20schools%2c%20and%20more) [](https://api.whatsapp.com/send?text=https://www.theregister.com/2024/10/18/jetpack_patches_wordpress_vulnerability/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dwhatsapp) in brief A critical security update for the near-ubiquitous WordPress plugin Jetpack was released last week. Site administrators should ensure the latest version is installed to keep their sites secure.Jetpack is a WordPress plugin developed by Automattic, offering features like antispam filtering, site analytics, and more. It [released](https://jetpack.com/blog/jetpack-13-9-1-critical-security-update/) security patches for 101 different versions going all the way back to 2016’s version 3.9.9, which introduced a flaw that’s been present in the product ever since.’During an internal security audit, we found a vulnerability with the Contact Form feature in Jetpack,’ the team said. ‘This vulnerability could be used by any logged in users on a site to read forms submitted by visitors on the site.’ ![](https://pubads.g.doubleclick.net/gampad/ad?co=1&iu=/6978/reg_security/front&sz=300×50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2ZxODctLKBFgr2WSMoEhGlAAAABE&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0)In other words, it has a lot of potential to do damage – in a very particular circumstance. ![](https://pubads.g.doubleclick.net/gampad/ad?co=1&iu=/6978/reg_security/front&sz=300×50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ZxODctLKBFgr2WSMoEhGlAAAABE&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0)Jetpack claims there is no evidence that the vulnerability has ever been exploited in the wild, but it predicts that won’t last now that it’s told the world about the matter.’Now that the update has been released, it is possible that someone will try to take advantage of this vulnerability,’ Jetpack noted. The post didn’t include a CVE in its update noted, and it’s not clear if one has been assigned since then. We’ve reached out to the Jetpack team for comment, but they haven’t responded. ![](https://pubads.g.doubleclick.net/gampad/ad?co=1&iu=/6978/reg_security/front&sz=300×50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZxODctLKBFgr2WSMoEhGlAAAABE&t=ct%3Dns%26unitnum%3D426raptor%3Dfalcon%26pos%3Dmid%26test%3D0)As others have pointed out, Jetpack has long been a standard part of any new WordPress site, which means it’s present in a lot of places – approximately [27 million sites](https://www.scworld.com/news/jetpack-patches-critical-bug-that-exposed-data-on-27m-wordpress-sites) by one estimate. It said the updated version should have been automatically installed on all affected websites, so WordPress administrators don’t necessarily need to panic.That said, it’s still a good idea to double-check your Jetpack version to be sure you’re not still on an old one. ### Critical vulnerabilities of the weekOnly one major issue to report this week that wasn’t covered elsewhere, but it’s a doozy for anyone using Veeam backup and replication software.[CVE-2024-40711](https://nvd.nist.gov/vuln/detail/CVE-2024-40711), with a CVSS score of 9.8, is a deserialization of untrusted data vulnerability that can allow an unauthenticated remote attacker to execute code. It’s present in Veeam Backup -& Replication software version 12.1.2.172 and earlier, so get those updates installed asap.Veeam also patched [other](https://nvd.nist.gov/vuln/detail/CVE-2024-40711) vulnerabilities this week, including a pair of CVSS 8.8 issues that allow MFA bypass and data exfiltration. Get patching.### New EU cyber incident reporting rules go into effectThe EU has [officially](https://ec.europa.eu/commission/presscorner/detail/en/ip_24_5342) adopted the first rules implementing the NIS2 cybersecurity rule, so companies in critical infrastructure sectors ought to prepare for stricter incident reporting rules as their home countries implement their own local regulations.[NIS2](https://ec.europa.eu/commission/presscorner/detail/en/ip_24_5342), which modified prior cybersecurity rules and went into force in 2023, places several new requirements on critical sector firms, including giving them 24 hours to report a cyber incident and 72 hours to disclose information loss. Companies that don’t comply will be fined up to €10 million or 2 percent of their global turnover.The new rule covers companies in the sectors one would normally consider critical infrastructure, and like similar bills in the US, strives to make companies improve their reporting to consolidate threat intelligence.’In today’s cybersecurity landscape, stepping up our capabilities, security requirements and rapid information sharing with up-to-date rules is of paramount importance,’ said EU antitrust chief Margrethe Vestager. ‘I urge the remaining Member States to implement these rules at national level as fast as possible.’### Be heard: Weigh in on CISA’s list of bad product security practicesCISA and the FBI have put together a [document](https://www.cisa.gov/resources-tools/resources/product-security-bad-practices) outlining bad product security practices, and it wants the public to weigh in on whether anything else is needed.The document is designed for ‘software manufacturers who develop software products … used in support of critical infrastructure,’ but its recommendations apply equally as much to other firms, too. In it, CISA and the FBI break down three categories of bad practices – product properties, security features, and organizational processes and policies – that it said affect secure development, and discuss a number of common problems that fall into them.There’s plenty to comment on, perhaps most critically the fact that CISA notes it is ‘non-binding’ and imposes ‘no requirement’ on companies to adopt better secure software development practices.If you have an opinion on that, or anything else in the CISA/FBI doc, you can [speak your mind](https://www.federalregister.gov/documents/2024/10/16/2024-23869/request-for-comment-on-product-security-bad-practices-guidance) until December 2, 2024.### Some good news: Free cybersecurity service for UK schoolsFollowing the successful trial of a protective DNS service for schools, the UK National Cyber Security Centre is extending the program to other educational institutions.Multi-academy trusts, academies, independent schools and school internet service providers are all being encouraged to sign up for the service, which offers schools DNS filtering from Cloudflare and Accenture to limit access to domains known to host malware and other nasties.Even better, it’s free.’We have worked closely with the -[NCSC-] on this service to ensure all schools can now benefit from enhanced cyber resilience at no cost to them and I encourage settings to take advantage of this enhanced protection,’ UK minister for early education Stephen Morgan said of the news.Interested institutions can [sign up](https://www.signin.service.ncsc.gov.uk/auth/realms/ukncsc/protocol/openid-connect/auth?client_id=uui-prod&redirect_uri=https%3A%2F%2Fmy.ncsc.gov.uk%2Foauth2%2Fidpresponse&response_type=code&scope=openid&state=9DU8sI8fJkMswh5Qs1XwVsTwdkBJsfT3SubeDg37SmrcGQfjTBZJ5GK%2FtYrwIoocK4zbjpVXkpL%2BeXYojixWD3yWeuSw6ev3JZzJe9HZiD38%2FmZGJrDMZPyL1Jk4fa9NXOxN%2BOfaXMZ7sA1wQW%2FKQctKuSyKMhaTupvmuZNHjrPuFMUL4AoM4TTgBdpdtGbFkPrjGXJak6oV7gEzu55JiXO9RuE713e0CZ8yYknMSTklcKQzvsiqTlmD9iOZhDClJciojpEkgPOPYXM%2B) through the NCSC.### Cybercriminals are moving faster than everIn the olden days of five years ago, it used to take months for threat actors and cybercriminals to start taking advantage of a newly-discovered exploit, but that window has shrunk to several days.Google’s Mandiant threat hunters released a [report](https://cloud.google.com/blog/topics/threat-intelligence/time-to-exploit-trends-2023) of 2023 time-to-exploit trends and found that, from 2022 to 2023 the average observed time to exploit (TTE) shrunk from 32 days to just five, meaning threat actors are moving incredibly quickly nowadays. That drop wasn’t gradual, either: from 2018 to 2019 Mandiant said it was around 63 days, which dropped to 44 in 2021, before lowering to 32 in 2022.That suggests a shift to exploiting new, relatively unknown vulnerabilities, which is borne out by another statistic from the same report: the team said it observed ratio of n-days to zero-days has changed to 30:70. Last year, it was a ratio of 38 to 62.’The shifting ratio appears to be influenced more from the recent increase in zero-day usage and detection rather than a drop in n-day usage,’ Mandiant said.In other words, don’t sleep on those zero-day patches. ® [Sponsored: How to enable secure use of AI](https://go.theregister.com/tl/3092/shttps://www.theregister.com/2024/10/10/how_to_enable_secure_use/) Share [](https://www.reddit.com/submit?url=https://www.theregister.com/2024/10/18/jetpack_patches_wordpress_vulnerability/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dreddit&title=Jetpack%20fixes%208-year-old%20flaw%20affecting%20millions%20of%20WordPress%20sites) [](https://twitter.com/intent/tweet?text=Jetpack%20fixes%208-year-old%20flaw%20affecting%20millions%20of%20WordPress%20sites&url=https://www.theregister.com/2024/10/18/jetpack_patches_wordpress_vulnerability/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dtwitter&via=theregister) [](https://www.facebook.com/dialog/feed?app_id=1404095453459035&display=popup&link=https://www.theregister.com/2024/10/18/jetpack_patches_wordpress_vulnerability/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dfacebook) [](https://www.linkedin.com/shareArticle?mini=true&url=https://www.theregister.com/2024/10/18/jetpack_patches_wordpress_vulnerability/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dlinkedin&title=Jetpack%20fixes%208-year-old%20flaw%20affecting%20millions%20of%20WordPress%20sites&summary=Also%2c%20new%20EU%20cyber%20reporting%20rules%20are%20live%2c%20exploiters%20hit%20the%20gas%20pedal%2c%20free%20PDNS%20for%20UK%20schools%2c%20and%20more) [](https://api.whatsapp.com/send?text=https://www.theregister.com/2024/10/18/jetpack_patches_wordpress_vulnerability/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dwhatsapp) #### More about* [Cybersecurity](/Tag/Cybersecurity/)* [European Union](/Tag/European%20Union/)* [Exploit](/Tag/Exploit/) More like these × ### More about* [Cybersecurity](/Tag/Cybersecurity/)* [European Union](/Tag/European%20Union/)* [Exploit](/Tag/Exploit/)* [NCSC](/Tag/NCSC/) ### Narrower topics* [Austria](/Tag/Austria/)* [Belgium](/Tag/Belgium/)* [Brexit](/Tag/Brexit/)* [Bulgaria](/Tag/Bulgaria/)* [Croatia](/Tag/Croatia/)* [Cyprus](/Tag/Cyprus/)* [Czech Republic](/Tag/Czech%20Republic/)* [Denmark](/Tag/Denmark/)* [Estonia](/Tag/Estonia/)* [European Commission](/Tag/European%20Commission/)* [Finland](/Tag/Finland/)* [France](/Tag/France/)* [GDPR](/Tag/GDPR/)* [Germany](/Tag/Germany/)* [Greece](/Tag/Greece/)* [Hungary](/Tag/Hungary/)* [Ireland](/Tag/Ireland/)* [Italy](/Tag/Italy/)* [Latvia](/Tag/Latvia/)* [Lithuania](/Tag/Lithuania/)* [Luxembourg](/Tag/Luxembourg/)* [Malta](/Tag/Malta/)* [Netherlands](/Tag/Netherlands/)* [Poland](/Tag/Poland/)* [Portugal](/Tag/Portugal/)* [Romania](/Tag/Romania/)* [RSA Conference](/Tag/RSA%20Conference/)* [Slovakia](/Tag/Slovakia/)* [Slovenia](/Tag/Slovenia/)* [Spain](/Tag/Spain/)* [Sweden](/Tag/Sweden/)* [Zero trust](/Tag/Zero%20trust/) ### Broader topics* [Cybercrime](/Tag/Cybercrime/)* [Government of the United Kingdom](/Tag/Government%20of%20the%20United%20Kingdom/)* [Security](/Tag/Security/) #### More aboutShare [](https://www.reddit.com/submit?url=https://www.theregister.com/2024/10/18/jetpack_patches_wordpress_vulnerability/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dreddit&title=Jetpack%20fixes%208-year-old%20flaw%20affecting%20millions%20of%20WordPress%20sites) [](https://twitter.com/intent/tweet?text=Jetpack%20fixes%208-year-old%20flaw%20affecting%20millions%20of%20WordPress%20sites&url=https://www.theregister.com/2024/10/18/jetpack_patches_wordpress_vulnerability/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dtwitter&via=theregister) [](https://www.facebook.com/dialog/feed?app_id=1404095453459035&display=popup&link=https://www.theregister.com/2024/10/18/jetpack_patches_wordpress_vulnerability/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dfacebook) [](https://www.linkedin.com/shareArticle?mini=true&url=https://www.theregister.com/2024/10/18/jetpack_patches_wordpress_vulnerability/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dlinkedin&title=Jetpack%20fixes%208-year-old%20flaw%20affecting%20millions%20of%20WordPress%20sites&summary=Also%2c%20new%20EU%20cyber%20reporting%20rules%20are%20live%2c%20exploiters%20hit%20the%20gas%20pedal%2c%20free%20PDNS%20for%20UK%20schools%2c%20and%20more) [](https://api.whatsapp.com/send?text=https://www.theregister.com/2024/10/18/jetpack_patches_wordpress_vulnerability/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dwhatsapp) **1** COMMENTS #### More about* [Cybersecurity](/Tag/Cybersecurity/)* [European Union](/Tag/European%20Union/)* [Exploit](/Tag/Exploit/) More like these × ### More about* [Cybersecurity](/Tag/Cybersecurity/)* [European Union](/Tag/European%20Union/)* [Exploit](/Tag/Exploit/)* [NCSC](/Tag/NCSC/) ### Narrower topics* [Austria](/Tag/Austria/)* [Belgium](/Tag/Belgium/)* [Brexit](/Tag/Brexit/)* [Bulgaria](/Tag/Bulgaria/)* [Croatia](/Tag/Croatia/)* [Cyprus](/Tag/Cyprus/)* [Czech Republic](/Tag/Czech%20Republic/)* [Denmark](/Tag/Denmark/)* [Estonia](/Tag/Estonia/)* [European Commission](/Tag/European%20Commission/)* [Finland](/Tag/Finland/)* [France](/Tag/France/)* [GDPR](/Tag/GDPR/)* [Germany](/Tag/Germany/)* [Greece](/Tag/Greece/)* [Hungary](/Tag/Hungary/)* [Ireland](/Tag/Ireland/)* [Italy](/Tag/Italy/)* [Latvia](/Tag/Latvia/)* [Lithuania](/Tag/Lithuania/)* [Luxembourg](/Tag/Luxembourg/)* [Malta](/Tag/Malta/)* [Netherlands](/Tag/Netherlands/)* [Poland](/Tag/Poland/)* [Portugal](/Tag/Portugal/)* [Romania](/Tag/Romania/)* [RSA Conference](/Tag/RSA%20Conference/)* [Slovakia](/Tag/Slovakia/)* [Slovenia](/Tag/Slovenia/)* [Spain](/Tag/Spain/)* [Sweden](/Tag/Sweden/)* [Zero trust](/Tag/Zero%20trust/) ### Broader topics* [Cybercrime](/Tag/Cybercrime/)* [Government of the United Kingdom](/Tag/Government%20of%20the%20United%20Kingdom/)* [Security](/Tag/Security/) #### TIP US OFF[Send us news](https://www.theregister.com/Profile/contact/)[#### Microsoft says tougher punishments needed for state-sponsored cybercriminalsAlthough it also reaffirmed commitment to secure-by-design initiativesCloud Infrastructure Month4 days -| 15](/2024/10/15/microsoft_digital_defense_report/?td=keepreading) [#### Healthcare Services Group discloses ‘cybersecurity incident’ in SEC filingLaundry and dining provider still investigating cause and scopeCybersecurity Month1 day -| 4](/2024/10/18/healthcare_services_group_attack/?td=keepreading) [#### US and UK govts warn: Russia scanning for your unpatched vulnerabilitiesin brief Also, phishing’s easier over the phone, and your F5 cookies might be unencrypted, and moreSecurity7 days -| 10](/2024/10/12/russia_is_targeting_you_for/?td=keepreading) [#### AI-assisted malware resistance, response and recoveryHow visibility into the life of an IO all the way from the storage controller to the flash media aids cyber protectionSponsored Feature](/2024/10/01/aiassisted_malware_resistance_response_and/?td=keepreading) [#### ESET denies it was compromised as Israeli orgs targeted with ‘ESET-branded’ wipersSays ‘limited’ incident isolated to ‘partner company’Cybersecurity Month23 hrs -| 2](/2024/10/18/eset_denies_israel_branch_breach/?td=keepreading) [#### Thousands of Fortinet instances vulnerable to actively exploited flawNo excuses for not patching this nine-month-old issueCybersecurity Month5 days -| 8](/2024/10/14/fortinet_vulnerability/?td=keepreading) [#### Keir Starmer hands ex-Darktrace boss investment minister gigWhat’s harder? Convincing people to invest in a beleaguered security business or a tiny island everybody hates?Public Sector8 days -| 53](/2024/10/11/darktrace_investment_minister/?td=keepreading) [#### Mozilla patches critical Firefox vuln that attackers are already exploitingFirefixed: It’s maintenance time for low-complexity, high-impact security flawCybersecurity Month9 days -| 26](/2024/10/10/firefixed_mozilla_patches_critical_firefox/?td=keepreading) [#### Cloud threats have execs the most freaked out because they’re not preparedRansomware? More like ‘we don’t care’ for everyone but CISOsResearch19 days -| 3](/2024/09/30/pwc_security_survey/?td=keepreading) [#### Spectre flaws continue to haunt Intel and AMD as researchers find fresh attack methodThe indirect branch predictor barrier is less of a barrier than hopedCybersecurity Month20 hrs -| 6](/2024/10/18/spectre_problems_continue_amd_intel/?td=keepreading) [#### Alleged Bitcoin crook faces 5 years after SEC’s X account pwnedSIM swappers strike again, warping cryptocurrency pricesCybersecurity Month22 hrs -| 13](/2024/10/18/sec_bitcoin_arrest/?td=keepreading) [#### Troubled US insurance giant hit by extortion after data leakGlobe Life claims blackmailers shared stolen into with short sellersSecurity1 day -|](/2024/10/17/us_insurance_giant_with_a/?td=keepreading)

Related Tags:
NAICS: 921 – Executive

Legislative

Other General Government Support

NAICS: 54 – Professional

Scientific

Technical Services

NAICS: 541 – Professional

Scientific

Technical Services

NAICS: 518 – Computing Infrastructure Providers

Data Processing

Web Hosting

Related Services

NAICS: 92 – Public Administration

NAICS: 922 – Justice

Public Order

Safety Activities

NAICS: 51 – Information

TA0010 – Exfiltration

Blog: The Register Security

Associated Indicators:
null

Threat Intel Solutions

Jetpack fixes 8-year-old flaw affecting millions of WordPress sites

Search

Popular Posts

2024 macOS Malware Review | Infostealers, Backdoors, and APT Campaigns Targeting the Enterprise

The great Google Ads heist: criminals ransack advertiser accounts via fake Google ads

MintsLoader: StealC and BOINC Delivery

Categories

Archives

Tags

Follow Us