WordPress force installs Jetpack security update on 5 million sites:
Jetpack is a remarkably popular WordPress plug-in that provides free security, performance, and website management features, including brute-force attack protection, site backups, secure logins, and malware scanning.
The plugin has more than 5 million active installations, and it is developed and maintained by Automattic, the company behind WordPress.
[...] The vulnerability was found in the Carousel feature and its option to display comments for each image, with nguyenhg_vcs being the one credited for responsibly disclosing the security bug.
No other details are available regarding this security flaw to protect the sites that haven't yet been updated. However, we do know that Automattic addressed it with added authorization logic.
The announcement made by Automattic says the bug impacts all versions starting with the Jetpack 2.0 release and going back to November 2012.
The Jetpack development team added that it found no evidence that the vulnerability has been exploited in the wild.
"However, now that the update has been released, it is only a matter of time before someone tries to take advantage of this vulnerability," the developers warn.
(Score: 1, Informative) by Anonymous Coward on Friday June 04 2021, @02:13AM
very programmer, [wordpress.org] much logic...
(Score: 3, Interesting) by bzipitidoo on Friday June 04 2021, @06:15PM (4 children)
I've worked on several Wordpress sites, on behalf of the nominal owners, and these sites all share the feature of not being totally under the owner's control. The owner can manage web pages, manage the content, through an interface, but little more than that. Treats owners like lusers. The owner is less able to manage the look. It's similar to the way "your" iPhone or Android device isn't entirely yours.
The owner gets some "skin" for their site that conveniently leaves out a lot of functionality. You can't back up your site. Should be able to just zip up the directory tree containing all the website files, be that /var/www or elsewhere, but you don't have that kind of access to the server, and there isn't any functionality within the typical Wordpress interface for doing that. The skin often comes in two versions, a free one of even more limited features and functionality, and a paid one with a few more bells and whistles. A major frustration with a skin is that there is so much indirection. The CSS file that is supposed to control the appearance of a page or two may have been made into a red herring, so that it doesn't matter what edits you make, the look of those pages will remain unchanged. Have to dig around to find out which CSS file is really in control. The complication is excessive, unnecessary, and seemingly on purpose, to make website owners even more dependent upon the suppliers of the skins and the hosting services.
Force install? Par for the course in Wordpress land.
(Score: 0) by Anonymous Coward on Friday June 04 2021, @08:22PM
sounds like geocities ^_^
(Score: 0) by Anonymous Coward on Saturday June 05 2021, @07:54PM (1 child)
Do you use a content management system, or have a preferred one?
(Score: 2) by bzipitidoo on Saturday June 05 2021, @08:28PM
No, no CMS apart from the online interface provided in Wordpress. If we did have something external, we'd have a rough time populating it. Sad to have to scrape your own web site to back it up.
(Score: 2) by EvilSS on Sunday June 06 2021, @06:02PM
So host on your own servers and write your own skins. You can download wordpress for free, you are not forced to use a hosting provider.