Jetpack patched an exploitable vulnerability in their Carousel feature this week. The patch was delivered through a “forced update.” For some people, it happened overnight. Even WordPress websites that had specifically turned off auto-updates received the update.
Tony Perez took a deeper dive into what happened and shared the community feedback he received:
- The Meta/Security team with the WordPress Foundation made the decision to push the update — not Automattic or Jetpack.
- It’s important to differentiate between Auto-updates and Forced Updates. WordPress 5.5 introduced auto-updates, but forced updates are different. They have always been in the WordPress platform for emergencies.
John Jacoby on Twitter firmly stated that “Jetpack did not disobey user settings. It cannot and did not update or heal itself.”
I agree with Tony: forced updates are “especially dangerous when put into the hands of a bad actor.” But perhaps for now, the risks are outweighed by the benefits. Either way, if documentation or explanations about “Forced Updates” exist on the official WordPress.org site, I haven’t seen them. This seems like an important thing to explain well for the community.