Monday, April 14, 2014

Jetpack on hosted Wordpress installations should be update pronto for security flaw, similar in nature to Heartbleed, it seems

Bluehost and other hosting providers have notified Wordpress customers using Jetpak to update their installations to Jetpack 2.9.3, to fix a two-year-old bug that would allow an attacker to bypass the control panel and publish material.  Wordpress has also said that it may disable Jetpack on installations that don’t update.  Fortunately, the update is quick and can be done from the Plugin’s link on the control panel. The customer is updating his own hosted space, not his computer. 
CSO has a story on the problem here  George Stephanis explained the fix on Wordpress here
It wasn’t immediately clear if this problem was related to Heartbleed, but the coding issues described sound similar.  But the fix needs to be made even for users not using encryption of https. 


No comments: