Jetpack version 4.0.3 contains a critical security update, and you should update your site and any you help manage as soon as possible. You can update through your dashboard, or download Jetpack manually here.
We realize that you may have questions. In this document, we cover:
- What is this security update?
- Why wasn’t I prompted to upgrade Jetpack?
- How do I know if I have the update?
- How do I upgrade Jetpack?
- Can you tell me how to edit the files myself?
- Should I change my password(s)?
- How would I know if my site has been exploited?
- I use WordPress.com. Does this affect me?
- Is Jetpack safe to use?
- I still need some help!
What is this security update?
During an internal security audit, we found a vulnerability in the way that some Jetpack shortcodes are processed. This bug has existed since Jetpack 2.0, released in November 2012.
Fortunately, we have no evidence of this being used in the wild. However, now that this update is public, it’s just a matter of time before exploits occur. To avoid any problems, you should update your site as soon as possible.
You can read more about this update on our blog post.
Please upgrade Jetpack by following these instructions.
Why wasn’t I prompted to upgrade Jetpack?
The WordPress Security Team sent out an auto-upgrade to users who had installed more recent versions of WordPress on their site that included the built-in automatic update function in WordPress. Thus, many sites were automatically upgraded to Jetpack 4.0.3. To verify if you were automatically upgraded, you can check the version number of Jetpack by going to Plugins → Installed Plugins and checking Jetpack to see if you’re on version 4.0.3. If so, you were most likely updated by the WordPress Security Team.
How do I know if I have the update?
Visit the Plugins → Installed Plugins tab of your site’s Dashboard and find the Jetpack plugin. If your plugin version matches one of the versions listed here, you’ve already been updated to a secure version.
If not, you can follow the instructions on this page to update your version of Jetpack.
How do I upgrade Jetpack?
If you are notified of an update to Jetpack via WordPress update notifications, please use the automatic updater to update your install of Jetpack to the most recent version.
If you need to manually update or are using an older version of Jetpack (version 3.9 or older) and cannot upgrade to 4.0.3, please visit this support document for instructions on manually updating Jetpack through your Dashboard or through FTP.
Can you tell me how to edit the files myself?
We strongly advise that you upgrade the plugin as we describe above as Jetpack 4.0.3 fixes this vulnerability.
If you’d prefer to continue using the version you currently have installed, there are updated versions of Jetpack for every major release back to version 2.0.7. You can find full instructions on updating your version here.
Should I change my password(s)?
This vulnerability does not affect or expose passwords. However, it’s always good practice to periodically change your login passwords.
You can use this support document to help you develop secure passwords for your WordPress site:
http://codex.wordpress.org/Hardening_WordPress#Passwords
How would I know if my site has been exploited?
If you’ve updated to 4.0.3 (or an older, secure version), you’re in the clear. This security update not only fixes this vulnerability, but also fixes any potential exploits that may have been in place prior to the update. This is why upgrading to a secure version of Jetpack as soon as possible is so important.
If you’ve been using Akismet, you’re protected and have been since this vulnerability was first reported to our security team.
Also, any sites using VaultPress 1.8.3 will already have the fix automatically applied to their sites. We still recommend updating Jetpack as mentioned above to ensure your site is protected.
I use WordPress.com. Does this affect me?
Yes, WordPress.com sites would have been affected by this security issue. However, this vulnerability has already been fixed at the time of this release and we’ve confirmed the vulnerability had not been used on any WordPress.com sites.
Is Jetpack safe to use?
Yes, once you upgrade Jetpack to a secure version. This update addresses a security vulnerability that was recently discovered during an internal audit. You can read more about this vulnerability at the blog post linked to above.
Finding and fixing bugs is a key part of software development. We can’t promise there will never be another issue like this, but we can promise that when a problem is found we will do everything in our power to protect as many people as possible, as quickly as possible.
I still need some help!
If you still have questions, or need more help with the security update, please contact us and we’ll be happy to help!
