WordPress plugin Jetpack version 2.9.3 contains a critical security update, and you should update your site as soon as possible.
During an internal security audit, the Jetpack team found a bug that allows an attacker to bypass a site's access controls and publish posts. This vulnerability could be combined with other attacks to escalate access. This bug has existed since Jetpack 1.9, released in October 2012.
All Jetpack versions from 1.9 until 2.9.2 (inclusive) are vulnerable.
- Upgrade to the latest version of Jetpack.
- WordPress Plugin MobileView by ColorLabs & Company Cross-Site Scripting (1.0.7)
- WordPress Plugin Add Any Extension to Pages Cross-Site Scripting (1.3)
- WordPress Plugin WP Review Multiple Unspecified Vulnerabilities (2.0)
- WordPress Plugin Adminimize 'page' Parameter Cross-Site Scripting (1.7.21)
- WordPress Plugin Double Opt-In for Download SQL Injection (2.0.9)