An Important Jetpack Plugin Security Update

A high priority security update to the very popular Jetpack plugin has just been released by its developers.

Since a significant number of our customers use Jetpack on their installs, we decided to bring as much attention to this matter as possible. We suggest that you upgrade to the newest release immediately if you are currently running Jetpack.

If something is holding you or your client(s) on an older version of Jetpack, the WordPress security team has made updates to every affected release of the plugin. Check your current version number by logging into your WordPress dashboard and going to Plugins -> Installed Plugins. Then, grab and install the update from the following list that matches your major version number:

• 1.9.4
• 2.0.6
• 2.1.4
• 2.2.7
• 2.3.7
• 2.4.4
• 2.6.3
• 2.7.2
• 2.8.2
• 2.9.3

This security update fixes a vulnerability that could allow an attacker to bypass a site’s access controls and publish posts. This bug could also be combined with other attacks to escalate access.

More details on this release are available on the official Jetpack blog.

We have worked with the Jetpack developers to keep the vulnerability from affecting existing WP Engine installs by blocking attacks at the server level. With that being said, we strongly recommend you update Jetpack sooner rather than later.

Thanks for choosing WP Engine!

Update: The Jetpack team has stated that they will start disconnecting users who do not upgrade the plugin to a secure version sometime in the next few hours. If you wait too long to upgrade, your site(s) might lose some Jetpack functionality and require reauthentication before those features come back.