Vulnerability Detected in Jetpack CRM – What You Need To Know

Posted on September 14, 2021 by Mike Stott

On 11th August 2021 the team identified and confirmed a security issue in Jetpack CRM and WooCommerce Connect which could allow an unauthorised individual to view CRM invoices that weren’t associated with their own account.

The vulnerability was patched in version 4.2.4 of Jetpack CRM Core and version 2.13 of WooCommerce Connect, which were both recently released. We have no evidence that this vulnerability has been exploited, but we strongly advise you to update the extension and core CRM plugin as soon as possible.

While the issue was patched, we do not have a means to force security updates to CRM extensions and we have added additional patches to the CRM core to secure installs where WooCommerce Connect hadn’t been updated.These updates to Jetpack CRM core began rolling out on 4th September 2021 to all sites running impacted versions of Jetpack CRM through the WordPress.org automatic software update system, but we still highly recommend running the latest version available from WordPress.org.

How do I know if my version is up-to-date?

The table below contains a full list of patched versions for both Jetpack CRM and WooCommerce Connect. If you are running a version of Jetpack CRM or WooCommerce Connect that is not on this list, please update immediately to the highest version in your release branch.

Jetpack CRMJetpack CRM WooCommerce Connect
4.2.4 (or higher)2.13 (or higher)
4.1.1
4.0.18
3.0.20

*Note: versions prior to 3.0 of the core CRM plugin were not affected – but we strongly urge you to use the latest version of Jetpack CRM.

How do I manually update the CRM?

Your site may not have automatically updated for a number of reasons, which may mean it requires a manual update. A few reasons include the following:

  • your site is running an old version that is not impacted (i.e. pre Zero BS CRM 3.0)
  • automatic updates have been explicitly disabled on your site
  • your filesystem is read-only
  • conflicting third-party extensions are preventing the update

If the automatic update was not successful, you should attempt to manually update to the newest patched version on your release branch (e.g. 4.2.4, 4.1.1, 4.0.18, etc), as listed in the table above.

How can I check if my CRM was vulnerable?

Firstly, if you do not use WooCommerce Connect then the issue does not impact you. If you do use WooCommerce Connect, certain settings need to be enabled: “Create Invoices from WooCommerce Orders” and “Show Invoices on My Account”. If neither of those were enabled, the issue does not impact you.

Is Jetpack CRM still safe to use?

Yes.

Incidents like this are uncommon, but do unfortunately sometimes happen. Our intention is always to respond immediately and operate with complete transparency. 

Since learning of the vulnerability, the team has worked around the clock to ensure that a fix has been put in place, and our users have been informed. 

Our continued investment in security allows us to prevent the vast majority of issues, but we strive to fix quickly, communicate proactively, and work collaboratively with the CRM community in rare cases like these.

What if I still have questions?

If you have any further concerns or questions regarding this issue, our team of Happiness Engineers is on hand to help – open a support ticket.


Jetpack CRM contact page shown on a desktop computer. The Jetpack CRM and WooCommerce logos are overlaying the image.

5 Reasons Why Jetpack CRM is the Ideal WooCommerce CRM

Posted on April 06, 2021 by Simon Keating

A customer relationship management tool, or CRM, is precisely what its name implies. It’s a technology system that intelligently manages and stores customer information in real time, all in one easy place, so that you and key team members can access it as needed. 

When you’re a small operation, it’s easier for you to remember the needs of individual customers and cater to them accordingly. But what happens when you grow? How will your employees know anything about who your customers are? Customer profiles are a must for any successful business, and a good CRM takes care of them.

Continue Reading →

Jetpack CRM Product Update #34 – Jan 2021

Posted on February 05, 2021 by Woody Hayday

These product update posts collect everything new and updated in Jetpack CRM each month. This post covers updates up to version 4.0.11 (January 2021).

Here’s what we’ve been working on in January:

Jetpack CRM Changelog:

This is the full change log this month grouped by what CRM features we’ve added, improved or fixed to the core Jetpack CRM WordPress plugin.

Continue Reading →

Jetpack CRM Product Update #33 – Dec 2020

Posted on January 04, 2021 by Woody Hayday

These product update posts collect everything new and updated in Jetpack CRM each month. This post covers updates up to version 4.0.10 (December 2020).

We’ll skip the update video for December because we mostly fixed small issues, but watch this space for more video summary updates in 2021!

Here’s what we’ve been working on in December:

Jetpack CRM core

This month we fixed several of the more niggly bugs 🐛 which have been irritating you the most, as well as doing some tidying up and strengthening some security aspects. It’s a light month as we head into prep for the new year, including work on the API v3.0.

Jetpack CRM Changelog:

This is the full change log this month grouped by what CRM features we’ve added, improved or fixed to the core Jetpack CRM WordPress plugin.

 What’s new 

  1. New auto-log: Add an activity log to a contact when a Quote is accepted via the client portal.
  2. New hook jpcrm_quote_accepted.

 What we’ve improved 

  1. Sending Quotes via email now allows for optional attachment of quote as a PDF file, and the attachment of any associated files.
  2. Hardened the security around the updating of activity logs.
  3. Resolved a false-positive security flag in a security plugin (removed PCLZIP library).
  4. Verified WordPress 5.6 support.
  5. Hardened output of contact list records on dash.
  6. Hardened parsing of CSV files.
  7. Custom field types numeric and numeric (decimal) are now reliably sortable via list views.
  8. Code tidy: Removed legacy country-check code; removed some javascript console logs and PHP notices.

 What we’ve fixed 

  1. Resolved migration issues where Jetpack CRM is installed via wp-cli.
  2. List views with ‘Latest Contact’ column now load properly regardless of DB environment.
  3. Resolved PHP notice around quotes on contact view.
  4. Quote and Task auto-logging now working correctly.
  5. Removed duplicate title in the short description logs when creating quotes, invoices, transactions, and tasks
  6. Fixed custom fields with auto-numbers, which were previously broken when they had an empty prefix.
  7. Resolved a PHP notice for some users when they used the email tracking system.
  8. Labels now fully respect locale.

Jetpack CRM extensions

We fixed one bug in extensions this month, notably that the Mail Campaigns settings page had recently become inaccessible in some cases:

  • v2.2.1 of Mail Campaigns:
    • Settings inaccessible in CRM 4.0.9 and 4.0.10.

Terms of Service change

Posted on December 03, 2020 by Woody Hayday

Jetpack CRM is owned by Automattic, the company that makes the Jetpack plugin and WordPress.com. As of January 1, 2021, Jetpack CRM will be covered by the same Terms of Service and Privacy Policy Jetpack uses.

We’re retiring the separate Terms & Conditions and Privacy Policy for Jetpack CRM to keep things straight forward across all of Automattic’s sites and services and wanted to let you know ahead of the switch in case you’re interested in what changes and why. You can read the updated Terms here and the updated Privacy Policy here

These changes will take effect on January 1, 2021. If you continue to use our services on or after that date, you acknowledge that your use will be subject to our new Terms of Service and our new Privacy Policy.


Jetpack CRM Live Webinar

Posted on September 16, 2020 by Mike Stott

The secret to successful marketing and sales is understanding your customers, and Jetpack CRM is the leading CRM software built especially for WordPress sites.

Get the basics on how to track every interaction with each of your customers, from phone calls and emails to meetings and sales, all without leaving your WordPress dashboard! Deepen your business’ most important relationships by leveraging the power of Jetpack CRM.

Continue Reading →