Jetpack 4.2.1 was released with several security vulnerabilities fixed
For all of you using the very helpful Jetpack Plugin in your WordPress installations, we suggest to update your plugin with the latest version. As we see in the changelog, there have been several performance improvements along with bug fixes and 3 security fixes. According to the official release article:
Our development team is always working to make Jetpack secure and safe to use on your sites. In Jetpack 4.2, we continue that work and have fixed a few vulnerabilities in this release.
- Contact Form: we made changes to avoid potential formula injections in Contact Form submission exports.
- General: XSS Vulnerability due to the misuse of the
add_query_arg()function. Kudos to Karim Valiev, Mail.Ru Security Team
- General: More changes to harden Jetpack security by implementing the
hash_equals()function in an effort to avoid timing attacks when comparing strings. Thanks to Scott Arciszewski.
So, please update to keep your WordPress Installation safe and secure!