Source URL: https://www.theregister.com/2024/10/18/jetpack_patches_wordpress_vulnerability/
Source: The Register
Title: Jetpack fixes 8-year-old flaw affecting millions of WordPress sites
Feedly Summary: Also, new EU cyber reporting rules are live, exploiters hit the gas pedal, free PDNS for UK schools, and more
in brief A critical security update for the near-ubiquitous WordPress plugin Jetpack was released last week. Site administrators should ensure the latest version is installed to keep their sites secure. …
AI Summary and Description: Yes
Summary: The text highlights critical security updates for the WordPress Jetpack plugin and Veeam backup software while also addressing new EU cybersecurity regulations. These updates and regulations emphasize the growing importance of timely patching and incident reporting in the cybersecurity landscape, which is essential for professionals involved in software and cloud security.
Detailed Description: The provided text covers a range of recent security updates and regulatory changes that have significant implications for various stakeholders in cybersecurity, particularly those in web development, cloud services, and compliance.
– **Jetpack Security Update:**
– Jetpack, a widely used WordPress plugin, recently released critical security updates addressing vulnerabilities dating back to 2016.
– A specific vulnerability in the Contact Form feature was discovered, which could allow logged-in users to access visitor-submitted data. Although there are no known exploitations, the disclosure could attract malicious actors.
– Approximately 27 million WordPress sites use Jetpack, underscoring the potential risk if updates are not installed.
– **Veeam Backup Software Vulnerability:**
– A severe vulnerability (CVE-2024-40711) has been identified in Veeam Backup & Replication software, allowing unauthenticated attackers to execute code remotely. This has a CVSS score of 9.8, warranting immediate updates.
– Other vulnerabilities in the same software related to MFA bypass and data exfiltration also require prompt attention from users.
– **EU Cyber Incident Reporting Rules:**
– The EU’s new NIS2 rules enacting stricter cybersecurity incident reporting requirements for critical infrastructure sectors are now in effect, pressing companies to report incidents within 24 hours and data losses within 72 hours.
– Companies face up to €10 million fines or 2% of their global turnover for non-compliance. This reflects a broader trend toward enhancing cybersecurity efforts and threat intelligence within critical sectors.
– **CISA’s Public Feedback on Product Security Practices:**
– The CISA and FBI have initiated a public commentary period on a document outlining poor product security practices, focusing on software used in critical infrastructure.
– Although non-binding, the practices discussed can inform better software development protocols among manufacturers.
– **Cybersecurity Trends:**
– A report by Mandiant reveals that the average time-to-exploit for vulnerabilities has drastically decreased, from 32 days in 2022 to just five days in 2023. This emphasizes the rapid exploitation of new vulnerabilities, particularly zero-day vulnerabilities.
– The shift in the ratio of n-days to zero-days indicates an alarming trend in cyber threats and stresses the need for organizations to remain vigilant about patch management.
The outlined developments underline the critical need for security professionals to ensure timely updates and adherence to evolving regulatory requirements to mitigate risks associated with vulnerabilities in widely used software and systems.