Vulnerabilities and security researches forjetpack jetpack
Direction: descendingJun 25, 2026
Jetpack – WP Security, Backup, Speed, & Growth # PSC-2026-64665
- PSC, Research URL
- Application
- Date
- Jun 25, 2026
- Research Description
- Security and performance suites operate across many areas of a WordPress installation, including backups, malware scanning, content delivery, statistics, forms, and social publishing. That makes them operationally useful, but also security-sensitive because a broad plugin footprint can affect privileged settings, connected service tokens, public scripts, and administrator workflows. Jetpack - WP Security, Backup, Speed, and Growth version 15.9.1 has successfully completed the CleanTalk Plugin Security Certification process and received PSC-2026-64665, confirming that the plugin was reviewed from a secure code perspective with attention to common exploitation paths for security suites, backup workflows, performance modules, and connected service integrations.
- Affected versions
-
Min 15.9.1, max 15.9.1.
- Status
-
SAFE & CERTIFIED
Jun 16, 2026
Jetpack – WP Security, Backup, Speed, & Growth # f52f6532055a5f1c7231d800dddcd84719043ac0
- CVE, Research URL
- Application
- Date
- Jun 20, 2016
- Research Description
- Jetpack – WP Security, Backup, Speed, & Growth [jetpack] < 4.0.4 WordPress Jetpack Plugin <= 4.0.3 - Multiple Vulnerabilities This plugin is prone to a cross site scripting vulnerability via Likes module. Also, settings of Post By Email could be changed. Upgrade this plugin.
- Affected versions
-
max 4.0.4.
- Status
-
vulnerable
Jetpack – WP Security, Backup, Speed, & Growth # e0194f13754886d9e99f239c49e2dd5c3ca9f66f
- CVE, Research URL
- Application
- Date
- May 26, 2016
- Research Description
- Jetpack – WP Security, Backup, Speed, & Growth [jetpack] < 4.0.3 WordPress Jetpack Plugin <= 4.0.2 - Stored Cross Site Scripting This plugin is prone to a shortcode stored cross site scripting vulnerability. Update the plugin.
- Affected versions
-
max 4.0.3.
- Status
-
vulnerable
Jetpack – WP Security, Backup, Speed, & Growth # 8957b847d52dd4bd0aba4f41fd974ca8ec1dae09
- CVE, Research URL
- Application
- Date
- Nov 21, 2019
- Research Description
- Jetpack – WP Security, Backup, Speed, & Growth [jetpack] < 7.9.1 WordPress Jetpack plugin <=7.9 - Shortcode embedding system vulnerability Shortcode embedding system vulnerability found by Adham Sadaqah in WordPress Jetpack plugin (versions <=7.9).
- Affected versions
-
max 7.9.1.
- Status
-
vulnerable
Jetpack – WP Security, Backup, Speed, & Growth # 1e59c14219c405d0065d8442cbef73aaecd1482f
- CVE, Research URL
- Application
- Date
- Dec 12, 2018
- Research Description
- Jetpack – WP Security, Backup, Speed, & Growth [jetpack] < 6.5 WordPress Jetpack plugin <= 6.4.2 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability Authenticated Stored Cross-Site Scripting (XSS) vulnerability found by RIPS Technologies in WordPress Jetpack plugin (versions <= 6.4.2).
- Affected versions
-
max 6.5.
- Status
-
vulnerable
Jetpack – WP Security, Backup, Speed, & Growth # 2a2f5da6-497f-4513-ad62-2f6f52b1852f
- CVE, Research URL
- Application
- Date
- -
- Research Description
- Jetpack – WP Security, Backup, Speed, & Growth [jetpack] < 3.9.2 Jetpack <= 3.9.1 - LaTeX HTML Element XSS The Jetpack – WP Security, Backup, Speed, & Growth WordPress plugin was affected by a LaTeX HTML Element XSS security vulnerability.
- Affected versions
-
max 3.9.2.
- Status
-
vulnerable
Jetpack – WP Security, Backup, Speed, & Growth # 5e63453f-4d95-4bc3-9338-2d77f95f9ee7
- CVE, Research URL
- Application
- Date
- -
- Research Description
- Jetpack – WP Security, Backup, Speed, & Growth [jetpack] < 6.5 Jetpack <= 6.4.2 - Authenticated Stored Cross-Site Scripting (XSS) According to RIPS Technologies: "RIPS detected a Stored XSS vulnerability that affects a module available to premium and professional users of Jetpack. Attackers who gained control over an account on the target site with at least Contributor privileges were able to inject arbitrary JavaScript code into the HTML markup of a blog post. Once the administrator of the target site views the malicious blog post, evil JavaScript code is executed which compromises the target server."
- Affected versions
-
max 6.5.
- Status
-
vulnerable
Jetpack – WP Security, Backup, Speed, & Growth # dad3ea5b-2420-4022-b26d-769f63ed01e7
- CVE, Research URL
- Application
- Date
- -
- Research Description
- Jetpack – WP Security, Backup, Speed, & Growth [jetpack] < 3.7.1 Jetpack <= 3.7.0 - Stored Cross-Site Scripting (XSS) Jetpack versions 3.7.0 and earlier are vulnerable to a cross-site scripting vulnerability in the contact form due to improper input sanitization. Reported by Marc-Alexandre Montpas from Sucuri.
- Affected versions
-
max 3.7.1.
- Status
-
vulnerable
Jetpack – WP Security, Backup, Speed, & Growth # a8073510758ddc46d88dbae64b770262e9ef8de3
- CVE, Research URL
- Application
- Date
- Oct 19, 2019
- Research Description
- Jetpack – WP Security, Backup, Speed, & Growth [jetpack] <= 7.9 Jetpack <= 7.9 - Stored Cross-Site Scripting The Jetpack plugin for WordPress is vulnerable to Stored Cross-Site Scripting via a shortcode in versions up to, and including, 7.9. This makes it possible for medium-level authenticated attackers to inject arbitrary web scripts in administrative pages and posts that execute whenever a user accesses the page with the stored web scripts.
- Affected versions
-
max 7.9.
- Status
-
vulnerable
Jetpack – WP Security, Backup, Speed, & Growth # df630c09b5ae69e0a0120e4fd48c13734af822c3
- CVE, Research URL
- Application
- Date
- Feb 25, 2016
- Research Description
- Jetpack – WP Security, Backup, Speed, & Growth [jetpack] < 3.9.2 WordPress Jetpack Plugin <= 3.9.1 - Cross Site Scripting Because of this vulnerability, the attackers can inject arbitrary JavaScript or HTML code. Update the plugin.
- Affected versions
-
max 3.9.2.
- Status
-
vulnerable
Jetpack – WP Security, Backup, Speed, & Growth # 10eb55a17739f28856fa527aa6bdde8481102392
- CVE, Research URL
- Application
- Date
- Oct 01, 2015
- Research Description
- Jetpack – WP Security, Backup, Speed, & Growth [jetpack] < 3.7.1 WordPress Jetpack Plugin <= 3.7.0 - Stored Cross Site Scripting Because of this vulnerability, the attackers can inject arbitrary JavaScript or HTML code. Update the plugin.
- Affected versions
-
max 3.7.1.
- Status
-
vulnerable
Jetpack – WP Security, Backup, Speed, & Growth # 7105cb30-e393-4c79-aeb7-7439bd560738
- CVE, Research URL
- Application
- Date
- -
- Research Description
- Jetpack – WP Security, Backup, Speed, & Growth [jetpack] >= 5.1 - <= 7.9 Jetpack 5.1-7.9 - Vulnerability in Shortcode Embed Code The Jetpack – WP Security, Backup, Speed, & Growth WordPress plugin was affected by a Vulnerability in Shortcode Embed Code security vulnerability.
- Affected versions
-
Min 5.1, max 7.9.
- Status
-
vulnerable
Jetpack – WP Security, Backup, Speed, & Growth # 942fbc3f5443cec830840105ebdb1de0fa7efa6c
- CVE, Research URL
- Application
- Date
- Feb 14, 2019
- Research Description
- Jetpack – WP Security, Backup, Speed, & Growth [jetpack] < 7.0.1 Jetpack < 7.0.1 - Cross-Site Scripting The Jetpack plugin for WordPress is vulnerable to Cross-Site Scripting in versions up to, and including, 7.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
- Affected versions
-
max 7.0.1.
- Status
-
vulnerable
Jetpack – WP Security, Backup, Speed, & Growth # 8b2577c950eb5e19c4bf87ece5f8d4ae541b0f5d
- CVE, Research URL
- Application
- Date
- Dec 11, 2018
- Research Description
- Jetpack – WP Security, Backup, Speed, & Growth [jetpack] < 6.5 Jetpack <= 6.4.2 - Cross-Site Scripting via post_meta Jetpack up to 6.4.2 is vulnerable to stored Cross-Site Scripting. This allows attackers with contributor privileges to inject arbitrary JavaScript code into the HTML markup of a blog post.
- Affected versions
-
max 6.5.
- Status
-
vulnerable
Jetpack – WP Security, Backup, Speed, & Growth # 1a116fa108cde0d07f6175075a8c01a62d2aa3a3
- CVE, Research URL
- Application
- Date
- Apr 26, 2017
- Research Description
- Jetpack – WP Security, Backup, Speed, & Growth [jetpack] < 4.2 Jetpack – WP Security, Backup, Speed, & Growth < 4.2 - Reflected Cross-Site Scripting The Jetpack plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the add_query_args() function in versions up to, and including, 4.1.x due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
- Affected versions
-
max 4.2.
- Status
-
vulnerable
Jetpack – WP Security, Backup, Speed, & Growth # 8ed4441a22433575555360042e387ed808c4d995
- CVE, Research URL
- Application
- Date
- Oct 01, 2015
- Research Description
- Jetpack – WP Security, Backup, Speed, & Growth [jetpack] < 3.7.1 WordPress Jetpack Plugin <= 3.7.0 - Information Disclosure This plugin is prone to an information disclosure vulnerability in certain hosting configurations. Update the plugin.
- Affected versions
-
max 3.7.1.
- Status
-
vulnerable
Jetpack – WP Security, Backup, Speed, & Growth # a0b05003fca46d758e30f5d242f081813667d8b1
- CVE, Research URL
- Application
- Date
- Apr 20, 2015
- Research Description
- Jetpack – WP Security, Backup, Speed, & Growth [jetpack] < 3.4.3 WordPress Jetpack Plugin <= 3.4.2 - Cross Site Scripting Because of this vulnerability, the attackers can inject arbitrary JavaScript or HTML code. Update the plugin.
- Affected versions
-
max 3.4.3.
- Status
-
vulnerable
Jetpack – WP Security, Backup, Speed, & Growth # 2765d571-059b-4d6f-948c-3ca7b9febcdc
- CVE, Research URL
- Application
- Date
- -
- Research Description
- Jetpack – WP Security, Backup, Speed, & Growth [jetpack] < 3.5.3 Jetpack <= 3.5.2 - Unauthenticated DOM Cross-Site Scripting (XSS) Genericons <= 3.2 vulnerable to DOM XSS in the example.html file due to using outdated version of jQuery and vulnerable code. Vulnerable Code: permalink = "genericon-" + window.location.hash.split('#')[1]; cssclass = jQuery( '.' + permalink ).attr('class');
- Affected versions
-
max 3.5.3.
- Status
-
vulnerable
Jetpack – WP Security, Backup, Speed, & Growth # 8843339ca3c547f9c5d5f0f7836e27744a9bed9e
- CVE, Research URL
- Application
- Date
- May 06, 2015
- Research Description
- Jetpack – WP Security, Backup, Speed, & Growth [jetpack] < 3.5.3 WordPress Jetpack Plugin <= 3.5.2 - Cross Site Scripting This plugin is prone to an unauthenticated DOM cross site scripting vulnerability. Update the plugin.
- Affected versions
-
max 3.5.3.
- Status
-
vulnerable
Jetpack – WP Security, Backup, Speed, & Growth # f36531a9-1670-4122-9f41-afcf71376375
- CVE, Research URL
- Application
- Date
- -
- Research Description
- Jetpack – WP Security, Backup, Speed, & Growth [jetpack] < 3.7.1 Jetpack <= 3.7.0 - Information Disclosure The Jetpack – WP Security, Backup, Speed, & Growth WordPress plugin was affected by an Information Disclosure security vulnerability.
- Affected versions
-
max 3.7.1.
- Status
-
vulnerable
Jetpack – WP Security, Backup, Speed, & Growth # 2eea75d0fc2b65a7108d03281f162fe8a9c8bf09
- CVE, Research URL
- Application
- Date
- May 06, 2015
- Research Description
- Jetpack – WP Security, Backup, Speed, & Growth [jetpack] < 3.5.3 Jetpack <= 3.5.2 - Cross-Site Scripting The Jetpack plugin for WordPress, in versions up to 3.5.2, is vulnerable to DOM based Cross-Site Scripting via the file genericons/example.html. This vulnerability allowed unauthenticated users to execute JavaScript in a visitor's browser provided they were able to trick them into clicking on a carefully crafted link. Executing JavaScript in an administrative user was possible if the victim was logged on to the affected site as an administrator.
- Affected versions
-
max 3.5.3.
- Status
-
vulnerable
Jetpack – WP Security, Backup, Speed, & Growth # bfed3099-bd41-4988-a76b-2b9349051879
- CVE, Research URL
- Application
- Date
- -
- Research Description
- Jetpack – WP Security, Backup, Speed, & Growth [jetpack] < 13.2.1 Jetpack < 13.2.1 - Contributor+ Stored XSS The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks
- Affected versions
-
max 13.2.1.
- Status
-
vulnerable
Jetpack – WP Security, Backup, Speed, & Growth # d0e43e57b78d7c62d3889e9cfbe510dd852a313a
- CVE, Research URL
- Application
- Date
- Feb 25, 2016
- Research Description
- Jetpack – WP Security, Backup, Speed, & Growth [jetpack] < 3.9.2 Jetpack – WP Security, Backup, Speed, & Growth <= 3.9.1 - Cross-Site Scripting via LaTeX markup within HTML elements The Jetpack – WP Security, Backup, Speed, & Growth plugin for WordPress is vulnerable to Cross-Site Scripting via LaTeX markup within HTML elements in versions up to, and including, 3.9.1 due to insufficient input sanitization and output escaping. This makes it possible for attackers to inject arbitrary web scripts that execute in a victim's browser.
- Affected versions
-
max 3.9.2.
- Status
-
vulnerable
Jetpack – WP Security, Backup, Speed, & Growth # cc9326052e5e086b429a42db7048d509aabde351
- CVE, Research URL
- Application
- Date
- Oct 01, 2015
- Research Description
- Jetpack – WP Security, Backup, Speed, & Growth [jetpack] < 3.7.2 Jetpack <= 3.7.1 - Stored Cross-Site Scripting Jetpack versions 3.7.0 and earlier are vulnerable to a Cross-Site Scripting vulnerability in the contact form due to improper input sanitization. This allows an unauthenticated attacker to inject JavaScript into the contact form that can potentially execute in a site administrators browser.
- Affected versions
-
max 3.7.2.
- Status
-
vulnerable
Jetpack – WP Security, Backup, Speed, & Growth # 44e791e3a465b767ceef958ba075d6d455c1eca0
- CVE, Research URL
- Application
- Date
- Feb 25, 2016
- Research Description
- Jetpack – WP Security, Backup, Speed, & Growth [jetpack] < 3.9.2 Jetpack – WP Security, Backup, Speed, & Growth <= 3.9.1 - Sensitive Information Disclosure The Jetpack – WP Security, Backup, Speed, & Growth plugin for WordPress is vulnerable to Sensitive Data Exposure in versions up to, and including, 3.9.1. This makes it possible for authenticated attackers with database access to extract sensitive data including plaintext credentials due to plaintext storage of those credentials.
- Affected versions
-
max 3.9.2.
- Status
-
vulnerable
Jetpack – WP Security, Backup, Speed, & Growth # 812b14ffc09bec4b95673cda3d5d0040ba8a0462
- CVE, Research URL
- Application
- Date
- Oct 01, 2015
- Research Description
- Jetpack – WP Security, Backup, Speed, & Growth [jetpack] < 3.7.2 Jetpack <= 3.7.1 - Information disclosure Jetpack up to 3.7.1 is affected by an information disclosure vulnerability.
- Affected versions
-
max 3.7.2.
- Status
-
vulnerable
Jetpack – WP Security, Backup, Speed, & Growth # b35a9ee3f9722b7f631592b6b4e53a3f52a76560
- CVE, Research URL
- Application
- Date
- May 30, 2023
- Research Description
- Jetpack – WP Security, Backup, Speed, & Growth [jetpack] < 12.1.1 WordPress Jetpack Plugin <= 12.1 is vulnerable to Broken Access Control Update the WordPress Jetpack plugin to the latest available version (at least 12.1.1). Jetpack discovered and reported this Broken Access Control vulnerability in WordPress Jetpack Plugin. This vulnerability has been fixed in version 12.1.1.
- Affected versions
-
max 12.1.1.
- Status
-
vulnerable
Jetpack – WP Security, Backup, Speed, & Growth # 7b4bc72eb58f6eb409ec7f6222a169e5917d3585
- CVE, Research URL
- Application
- Date
- Apr 26, 2017
- Research Description
- Jetpack – WP Security, Backup, Speed, & Growth [jetpack] < 4.2 Jetpack – WP Security, Backup, Speed, & Growth < 4.2 - CSV Injection The Jetpack – WP Security, Backup, Speed, & Growth plugin for WordPress is vulnerable to CSV Injection in versions up to, and including, 4.2. This allows unauthenticated attackers to embed untrusted input into data via contact forms that will be injected into exported CSV files. This can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration.
- Affected versions
-
max 4.2.
- Status
-
vulnerable
Jetpack – WP Security, Backup, Speed, & Growth # ffd169a15f0b3f3b7e9e5d2a66f48050efccf852
- CVE, Research URL
- Application
- Date
- Apr 26, 2017
- Research Description
- Jetpack – WP Security, Backup, Speed, & Growth [jetpack] < 4.2 Jetpack – WP Security, Backup, Speed, & Growth < 4.2 - Timing Attack The Jetpack plugin for WordPress is vulnerable to timing attacks in versions up to, and including, 4.1.x. This is due to lack of a safe string comparison function.
- Affected versions
-
max 4.2.
- Status
-
vulnerable
Jetpack – WP Security, Backup, Speed, & Growth # 162e5bc508a8fca3a94873242e3470bb3364bf22
- CVE, Research URL
- Application
- Date
- Oct 14, 2024
- Research Description
- Jetpack – WP Security, Backup, Speed, & Growth [jetpack] < 13.9.1 Jetpack < 13.9.1 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Disclosure The Jetpack – WP Security, Backup, Speed, & Growth plugin for WordPress is vulnerable to unauthorized access of data due to missing capability checks in the Contact_Form_Endpoint class in various versions version up to, but not including, 13.9.1. This makes it possible for authenticated attackers, with subscriber-level access and above, to read all Jetpack form submissions on the site.
- Affected versions
-
max 13.9.1.
- Status
-
vulnerable
May 11, 2026
Jetpack – WP Security, Backup, Speed, & Growth # CVE-2022-50958
- CVE, Research URL
- Application
- Date
- May 10, 2026
- Research Description
- WordPress Plugin Jetpack 9.1 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating the post_id parameter. Attackers can craft URLs to the grunion-form-view.php endpoint with script payloads in the post_id parameter to execute arbitrary JavaScript in victim browsers.
- Affected versions
-
max 9.1.
- Status
-
vulnerable
Jan 28, 2026
Jetpack – WP Security, Backup, Speed, & Growth # CVE-2023-54332
- CVE, Research URL
- Application
- Date
- Jan 14, 2026
- Research Description
- Jetpack 11.4 contains a cross-site scripting vulnerability in the contact form module that allows attackers to inject malicious scripts through the post_id parameter. Attackers can craft malicious URLs with script payloads to execute arbitrary JavaScript in victims' browsers when they interact with the contact form page.
- Affected versions
-
max 11.4.
- Status
-
vulnerable
May 17, 2025
Jetpack – WP Security, Backup, Speed, & Growth # CVE-2024-10075
- CVE, Research URL
- Application
- Date
- May 16, 2025
- Research Description
- The Jetpack WordPress plugin before 13.8 does not ensure that the post created by the Contact Form is only accessible to authorised users, which could allow unauthenticated users to run arbitrary shortcodes and block.
- Affected versions
-
max 13.8.
- Status
-
vulnerable
Jetpack – WP Security, Backup, Speed, & Growth # CVE-2024-10076
- CVE, Research URL
- Application
- Date
- May 16, 2025
- Research Description
- The Jetpack WordPress plugin before 13.8, Jetpack Boost WordPress plugin before 3.4.8 use regexes in the Site Accelerator features when switching image URLs to their CDN counterpart. Unfortunately, some of them may match patterns it shouldn’t, ultimately making it possible for contributor and above users to perform Stored XSS attacks
- Affected versions
-
max 13.8.
- Status
-
vulnerable
Dec 26, 2024
Jetpack – WP Security, Backup, Speed, & Growth # CVE-2024-10858
- CVE, Research URL
- Application
- Date
- Dec 25, 2024
- Research Description
- The Jetpack WordPress plugin before 14.1 does not properly checks the postmessage origin in its 13.x versions, allowing it to be bypassed and leading to DOM-XSS. The issue only affects websites hosted on WordPress.com.
- Affected versions
-
Min 13.0, max 14.1.
- Status
-
vulnerable
Oct 15, 2024
Jetpack – WP Security, Backup, Speed, & Growth # CVE-2024-9926
- CVE, Research URL
- Application
- Date
- Nov 07, 2024
- Research Description
- The Jetpack WordPress plugin does not have proper authorisation in one of its REST endpoint, allowing any authenticated users, such as subscriber to read arbitrary feedbacks data sent via the Jetpack Contact Form
- Affected versions
-
max 13.9.1.
- Status
-
vulnerable
Jun 10, 2024
Jetpack – WP Security, Backup, Speed, & Growth # CVE-2023-47788
- CVE, Research URL
- Application
- Date
- Jun 19, 2024
- Research Description
- Missing Authorization vulnerability in Automattic Jetpack.This issue affects Jetpack: from n/a before 12.7.
- Affected versions
-
max 12.7.
- Status
-
vulnerable
Jun 07, 2024
Jetpack – WP Security, Backup, Speed, & Growth # CVE-2015-9359
- CVE, Research URL
- Application
- Date
- Aug 28, 2019
- Research Description
- The Jetpack plugin before 3.4.3 for WordPress has XSS via add_query_arg() and remove_query_arg().
- Affected versions
-
max 3.4.3.
- Status
-
vulnerable
Jetpack – WP Security, Backup, Speed, & Growth # CVE-2016-10705
- CVE, Research URL
- Application
- Date
- Jan 13, 2018
- Research Description
- The Jetpack plugin before 4.0.4 for WordPress has XSS via the Likes module.
- Affected versions
-
max 4.0.4.
- Status
-
vulnerable
Jetpack – WP Security, Backup, Speed, & Growth # CVE-2016-10706
- CVE, Research URL
- Application
- Date
- Jan 13, 2018
- Research Description
- The Jetpack plugin before 4.0.3 for WordPress has XSS via a crafted Vimeo link.
- Affected versions
-
max 4.0.3.
- Status
-
vulnerable
Jetpack – WP Security, Backup, Speed, & Growth # CVE-2011-4673
- CVE, Research URL
- Application
- Date
- Dec 03, 2011
- Research Description
- SQL injection vulnerability in modules/sharedaddy.php in the Jetpack plugin for WordPress allows remote attackers to execute arbitrary SQL commands via the id parameter.
- Affected versions
-
Min 5.1, max 1.1.3.
- Status
-
vulnerable
Jetpack – WP Security, Backup, Speed, & Growth # CVE-2021-24374
- CVE, Research URL
- Application
- Date
- Jun 22, 2021
- Research Description
- The Jetpack Carousel module of the JetPack WordPress plugin before 9.8 allows users to create a "carousel" type image gallery and allows users to comment on the images. A security vulnerability was found within the Jetpack Carousel module by nguyenhg_vcs that allowed the comments of non-published page/posts to be leaked.
- Affected versions
-
max 9.8.
- Status
-
vulnerable
Jetpack – WP Security, Backup, Speed, & Growth # CVE-2014-0173
- CVE, Research URL
- Application
- Date
- Apr 22, 2014
- Research Description
- The Jetpack plugin before 1.9 before 1.9.4, 2.0.x before 2.0.9, 2.1.x before 2.1.4, 2.2.x before 2.2.7, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.2, 2.6.x before 2.6.3, 2.7.x before 2.7.2, 2.8.x before 2.8.2, and 2.9.x before 2.9.3 for WordPress does not properly restrict access to the XML-RPC service, which allows remote attackers to bypass intended restrictions and publish posts via unspecified vectors. NOTE: some of these details are obtained from third party information.
- Affected versions
-
max 2.9.3.
- Status
-
vulnerable
Jetpack – WP Security, Backup, Speed, & Growth # CVE-2023-2996
- CVE, Research URL
- Application
- Date
- Jun 27, 2023
- Research Description
- The Jetpack WordPress plugin before 12.1.1 does not validate uploaded files, allowing users with author roles or above to manipulate existing files on the site, deleting arbitrary files, and in rare cases achieve Remote Code Execution via phar deserialization.
- Affected versions
-
max 12.1.1.
- Status
-
vulnerable
Jetpack – WP Security, Backup, Speed, & Growth # CVE-2023-47774
- CVE, Research URL
- Application
- Date
- Apr 24, 2024
- Research Description
- Improper Restriction of Rendered UI Layers or Frames vulnerability in Automattic Jetpack allows Clickjacking.This issue affects Jetpack: from n/a before 12.7.
- Affected versions
-
max 12.7.
- Status
-
vulnerable
Jetpack – WP Security, Backup, Speed, & Growth # CVE-2024-4392
- CVE, Research URL
- Application
- Date
- May 14, 2024
- Research Description
- The Jetpack – WP Security, Backup, Speed, & Growth plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wpvideo shortcode in all versions up to, and including, 13.3.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
- Affected versions
-
max 13.4.
- Status
-
vulnerable
Jetpack – WP Security, Backup, Speed, & Growth # CVE-2023-45050
- CVE, Research URL
- Application
- Date
- Nov 30, 2023
- Research Description
- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Automattic Jetpack – WP Security, Backup, Speed, & Growth allows Stored XSS.This issue affects Jetpack – WP Security, Backup, Speed, & Growth: from n/a through 12.8-a.1.
- Affected versions
-
max 12.8-a.3.
- Status
-
vulnerable