Updates have been issued by Jetpack for a critical plugin flaw that could have exposed personal data across 27 million WordPress sites, reports SC Media.
Despite no evidence of any active exploitation, the flaw within the plugin's Contact Form feature, which dates back to 2016, could be remotely leveraged by authenticated threat actors to compromise users' sensitive information, according to Qualys Threat Research Unit Manager of Security Research Mayuresh Dani.
"...[W]hile this feature is enabled by default, it can also be disabled. Teams should evaluate if this feature is being actively used or not and then disable it accordingly, especially if the plug-in cannot be updated," said Dani.
Immediate patching of the issue to prevent data exposure has also been urged by former National Security Agency cybersecurity expert Evan Dornbush. Such a development comes more than a year after Jetpack addressed a critical flaw in a plugin iteration from 2012.
