WordPress has issued an automatic update to address a critical flaw in jetpack plugins installed on more than five million sites.
The vulnerability, which was dug up during an internal security audit, has since resided in the API that is in the plugin version 2.0which was released in November 2012.
“This vulnerability could be used by a site builder to manipulate any files in the WordPress installation,” Jetpack said in an advisory. 102 new versions of Jetpack have been released to fix the bug.
While there is no evidence that this issue has been exploited in the wild, it is not uncommon for vulnerabilities in popular WordPress plugins to be exploited by threat actors looking to take over sites for nefarious purposes.
This is not the first time a severe security flaw in Jetpack has prompted WordPress to force-install patches.
In November 2019, Jetpack was released version 7.9.1 to fix a flaw in how the plugin handles embed code that has existed since July 2017 (version 5.1).
Development also comes as Patchstack revealed a security flaw in the premium Gravity Forms plugin that allowed unauthenticated users to inject arbitrary PHP code.
The issue (CVE-2023-28782) affects all versions from 2.7.3 and below. It was addressed in version 2.7.4, which was available on April 11, 2023.