Skip to main content

Jetpack has just rolled out version 13.9.1 to address a critical security flaw in its Contact Form feature—a vulnerability present since 2016. This newly patched flaw could have allowed logged-in users on a website to access private information from form submissions, posing a risk for unauthorized data exposure.

Discovery and Immediate Action
The issue came to light during an internal security audit by the Jetpack team, who quickly joined forces with the WordPress.org Security Team to develop a fix. Their priority was to safeguard all users, so they crafted patches not only for the latest version but for every Jetpack release dating back to 3.9.9, ensuring that even older sites running previous versions remain protected.

While the Jetpack team has found no evidence that the vulnerability has been exploited so far, they cautioned users: with the update now available, the possibility of bad actors attempting to exploit this flaw has increased. In cybersecurity, timing is critical, and proactive updates are the best defense against newly disclosed risks.

Technical Details and Security Rating
Security researchers at Wordfence highlighted that the issue stems from missing capability checks within the plugin’s `Contact_Form_Endpoint` class. This oversight allowed logged-in users with even basic permissions—subscriber-level access or higher—to read form submissions from other site visitors. As a result, the vulnerability received a CVSS (Common Vulnerability Scoring System) score of 4.3, indicating a moderate level of severity and reinforcing the importance of an immediate update to the newest Jetpack version.

Action Recommended: Update to Jetpack 13.9.1
Website owners using Jetpack are strongly advised to update to version 13.9.1 without delay to prevent any potential misuse of the Contact Form feature. Updating will block unauthorized users from accessing form data, securing sensitive information shared by visitors.

The Jetpack team assured users of their commitment to maintaining security across their plugin. They stated, “We will continue to regularly audit all aspects of our codebase to ensure that your Jetpack site remains safe,” emphasizing their proactive approach to software security.

Upcoming Proof of Concept Release
WPScan, a widely trusted vulnerability database, will release a proof of concept for this issue on November 11, 2024. This delay is intentional, allowing users ample time to secure their sites by updating Jetpack before more detailed technical information becomes publicly available. The vulnerability was initially reported by WPScan researcher Marc Montpas, highlighting the value of ongoing vigilance in cybersecurity.

Key Takeaway
If you’re a Jetpack user, updating to version 13.9.1 is essential to ensure your site’s security. Taking this step will protect both you and your visitors, reaffirming the importance of regular plugin maintenance and proactive updates to guard against emerging vulnerabilities.

Jetpack 13.9.1: Essential Security Update to Fix Contact Form Vulnerability

Aaron Fernandes

Aaron Fernandes is a web developer, designer, and WordPress expert with over 11 years of experience.