Pierluigi Paganini October 15, 2024

WordPress Jetpack plugin issued an update to fix a critical flaw allowing logged-in users to view form submissions by others on the same site.

The maintainers of the WordPress Jetpack plugin have addressed a critical vulnerability that could allow logged-in users to access forms submitted by other users on the same site.

Jetpack is a popular plugin for WordPress that provides a suite of features to enhance website functionality, security, and performance. Automattic, the company behind WordPress.com, developed the plugin, which supports both free and premium tools.

The popular plugin is currently used on 27 million WordPress sites.

The flaw resides in the Contact Form feature in the plugin, it has impacted every version of Jetpack since 3.9.9 and was addressed with version 13.9.1.

Most websites have been or will soon be automatically updated to the latest version.

“During an internal security audit, we found a vulnerability with the Contact Form feature in Jetpack ever since version 3.9.9, released in 2016.” reads the advisory. “This vulnerability could be used by any logged in users on a site to read forms submitted by visitors on the site.”

The maintainers of the plugin are not aware of attacks in the wild that exploited this vulnerability.

“We have no evidence that this vulnerability has been exploited in the wild. However, now that the update has been released, it is possible that someone will try to take advantage of this vulnerability.” concludes the report. “We apologize for any extra workload this may put on your shoulders today. We will continue to regularly audit all aspects of our codebase to ensure that your Jetpack site remains safe.”.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, WordPress Jetpack plugin)