Jetpack 13.9.1, a critical security update, was released yesterday to fix a vulnerability in the Contact Form feature that had been present since 2016. This flaw allowed logged-in users of a site to access forms submitted by visitors.
The vulnerability was discovered during an internal security audit, prompting the Jetpack team to collaborate with the WordPress.org Security Team to release patches for all versions of Jetpack dating back to 3.9.9.
The Jetpack team also warned: “We have no evidence that this vulnerability has been exploited in the wild. However, now that the update has been released, it is possible that someone will try to take advantage of this vulnerability.”
Wordfence team shared that the plugin is “vulnerable to unauthorized access of data due to missing capability checks in the Contact_Form_Endpoint class in various versions version up to, but not including, 13.9.1. This makes it possible for authenticated attackers, with subscriber-level access and above, to read all Jetpack form submissions on the site.”
The vulnerability has been given a CVSS score of 4.3, and users are advised to update to Jetpack 13.9.1 to secure their websites.
The Jetpack team reassured users, stating, “We will continue to regularly audit all aspects of our codebase to ensure that your Jetpack site remains safe.”
Update: WPScan will share the Proof of Concept on November 11, 2024, to give users time to update. The vulnerability was reported by their researcher Marc Montpas.
