Jetpack has released a critical security update for their plugin. In a recent security audit, Jetpack discovered a vulnerability in their plugin that would allow an attacker to bypass a site’s access controls and publish posts to your WordPress installation(s).
This bug has existed since Jetpack 1.9, released in October 2012. Fortunately, we have no evidence of this being used in the wild. However, now that this update is public, it’s just a matter of time before exploits occur.
The secure versions are 1.9.4, 2.0.6, 2.1.4, 2.2.7, 2.3.7, 2.4.4, 2.5.2, 2.6.3, 2.7.2, 2.8.2, and 2.9.3, depending upon the version(s) of WordPress installed.
To avoid a breach, you should update your site as soon as possible.
Sites that don’t update may be disconnected from the Jetpack service for their own security, and will be able to reconnect as soon as their version of Jetpack is updated.
More details here