On 11th August 2021 the team identified and confirmed a security issue in Jetpack CRM and WooCommerce Connect which could allow an unauthorised individual to view CRM invoices that weren’t associated with their own account.
The vulnerability was patched in version 4.2.4 of Jetpack CRM Core and version 2.13 of WooCommerce Connect, which were both recently released. We have no evidence that this vulnerability has been exploited, but we strongly advise you to update the extension and core CRM plugin as soon as possible.
While the issue was patched, we do not have a means to force security updates to CRM extensions and we have added additional patches to the CRM core to secure installs where WooCommerce Connect hadn’t been updated.These updates to Jetpack CRM core began rolling out on 4th September 2021 to all sites running impacted versions of Jetpack CRM through the WordPress.org automatic software update system, but we still highly recommend running the latest version available from WordPress.org.
How do I know if my version is up-to-date?
The table below contains a full list of patched versions for both Jetpack CRM and WooCommerce Connect. If you are running a version of Jetpack CRM or WooCommerce Connect that is not on this list, please update immediately to the highest version in your release branch.
|Jetpack CRM||Jetpack CRM WooCommerce Connect|
|4.2.4 (or higher)||2.13 (or higher)|
*Note: versions prior to 3.0 of the core CRM plugin were not affected – but we strongly urge you to use the latest version of Jetpack CRM.
How do I manually update the CRM?
Your site may not have automatically updated for a number of reasons, which may mean it requires a manual update. A few reasons include the following:
- your site is running an old version that is not impacted (i.e. pre Zero BS CRM 3.0)
- automatic updates have been explicitly disabled on your site
- your filesystem is read-only
- conflicting third-party extensions are preventing the update
If the automatic update was not successful, you should attempt to manually update to the newest patched version on your release branch (e.g. 4.2.4, 4.1.1, 4.0.18, etc), as listed in the table above.
How can I check if my CRM was vulnerable?
Firstly, if you do not use WooCommerce Connect then the issue does not impact you. If you do use WooCommerce Connect, certain settings need to be enabled: “Create Invoices from WooCommerce Orders” and “Show Invoices on My Account”. If neither of those were enabled, the issue does not impact you.
Is Jetpack CRM still safe to use?
Incidents like this are uncommon, but do unfortunately sometimes happen. Our intention is always to respond immediately and operate with complete transparency.
Since learning of the vulnerability, the team has worked around the clock to ensure that a fix has been put in place, and our users have been informed.
Our continued investment in security allows us to prevent the vast majority of issues, but we strive to fix quickly, communicate proactively, and work collaboratively with the CRM community in rare cases like these.
What if I still have questions?
If you have any further concerns or questions regarding this issue, our team of Happiness Engineers is on hand to help – open a support ticket.