Automattic, the company behind the open-source content management system WordPress, began forcibly installing a security patch on millions of websites today to address a critical vulnerability in the Jetpack WordPress plugin.

Jetpack is an extremely popular plugin that offers free website security, performance and management enhancements including site backups, brute force attack protection, secure logins, software scanning malicious, etc.

According to the official WordPress plugin repository, the plugin is maintained by Automattic and now has over 5 million active installs.

“During an internal security audit, we found a vulnerability with the API available in Jetpack since version 2.0, released in 2012,” said Jeremy Herve, developer relations engineer at Automatic. said.

“This vulnerability could be used by site authors to manipulate any file in the WordPress installation.”

Jetpack 12.1.1, the security patch currently automatically rolling out to all WordPress websites using the plugin, started rolling out today and has already been installed on more than 4,130,000 sites using all versions of Jetpack since 2.0.

This means that most of the vulnerable websites have already been automatically updated to the latest secure version, and the others will soon be fixed as well.

Herve also warned website administrators that while there are no signs the bug has been abused in attacks, they should ensure their sites are secure as attackers will most likely pick up on the details. of the flaw and create exploits targeting unpatched WordPress websites.

“We have no evidence that this vulnerability has been exploited in the wild. However, now that the update has been released, it is possible that someone is trying to take advantage of this vulnerability,” Hervé said.

“Please update your version of Jetpack as soon as possible to keep your site secure. To help you with this process, we have worked closely with the WordPress.org security team to release patched versions of each version of Jetpack since 2.0. Most websites have been or will soon be automatically updated to a secure version.”

This isn’t the first time Automattic has used automated deployment of security updates to fix critical issues in WordPress plugins or installations.

For example, WordPress developer Samuel Wood said in October 2020 that Automattic has used this approach to push “plugin security releases” multiple times since the release of WordPress 3.7.