JetPack that is yet to be updated, Automattic did address it with an additional layer of authorization...

Continue reading
Jetpack was recently targeted by a hidden security vulnerability affecting almost all the versions ever released, ranging from Jetpack 2.0 all the way back to November 2012. However, the Automattic product reportedly forced deployed a security update on over five million websites actively running with its compromised version. Yes, Jetpack is the most popular WordPress plugin that amalgamates all the superior features, namely free security, performance, marketing & website management features, including custom brute-force attack protection, timely site backups, secure logins, and malware scanning for securely maintaining any website running on WordPress. This plugin currently has over five million active installations.
We released a security update for Jetpack that fixes a vulnerability in the plugin, so if you're not using the version with the fix, you will see that message in Scan. You can check the version number against the list here to see if you're up to date: https://t.co/OhgYtVdmOV
— Jetpack (@jetpack) June 3, 2021
While the vulnerability is yet to be exploited based upon the initial analysis but it was first spotted in the steams from the Carousel feature along with its option to display comments for each image attributing to nguyenhg_vcs for being credited for responsibly bringing the security vulnerability to everyone's notice.
>“There is no evidence that this vulnerability has been exploited in the wild. Nevertheless, at present, the update has been released; it is only a matter of time before someone tries to take advantage of this vulnerability”, says Jetpack Development Team.

Although there aren't enough details available in the public domain on this security vulnerability in order to defend those sites which are running on WordPress installed with JetPack that are yet to be updated, Automattic did address it with an additional layer of authorization logic.
>"However, now that the update has been released, it is only a matter of time before someone tries to take advantage of this vulnerability," the Jetpack developers alerted .
Further, this force installation of the security patch has already updated most of the websites.
"To help you in this process, we worked with the WordPress.org Security Team to release patched versions of every version of Jetpack since 2.0," Automattic said. "Most websites have been or will soon be automatically updated to a secured version."
Automattic wasn't found to be executing such force installation of the security update for the first time to patch vulnerable plug-ins or WordPress installations. Andrew Nacin, a leading WordPress developer in 2015, took to Twitter about the usage of automated updates only five times since its launch.
In the same regard, another WordPress developer named Samuel Wood hightighted in October 2020 that Automattic opted for forced security updates feature to push "security releases for plugins many times" since WordPress 3.7 was released.
All of these instances hinting towards the fact that Automattic is more used to deploys forced security updates to patch plug-ins used by millions of sites against critically identified vulnerabilities.
Even though it has been easier via Jetpack 9.8 to engage the audience via WordPress Stories while bringing the Story Block to the web block editor, all the necessary backend changes were also made on the Carousel feature that improves the overall page performance.

Splunk disclosed CVE-2026-20253, a critical pre-auth RCE flaw in Splunk Enterprise (CVSS 9.8) from insecure MongoDB defaults. Patches released; upgrade to 9.1.8, 9.2.5, or 9.3.2.