PLUGIN SECURITY
Is Jetpack safe?
Known vulnerabilities, PHP compatibility and safer alternatives for the Jetpack WordPress plugin — checked against WP Clinic's local security database.
Plugin details
- Slug:
jetpack - Requires PHP: 7.2+
Known vulnerabilities
- Jetpack – WP Security, Backup, Speed, & Growth [jetpack] < 9.8 [CVE-2021-24374, WordPress Jetpack plugin <= 9.7.1 - Attached Image Comment Leak For Non-Published Post And Pages in Carousel Feature, Jetpack < 9.8 - Carousel Module Non-Published Page/Post Attachment Comment Leak, JetPack <= 9.7 - Information Disclosure]
- Jetpack – WP Security, Backup, Speed, & Growth [jetpack] < 3.4.3 [CVE-2015-9359, Jetpack 3.0-3.4.2 - Cross-Site Scripting (XSS), Jetpack <= 3.4.2 - Reflected Cross-Site Scripting]
- Jetpack – WP Security, Backup, Speed, & Growth [jetpack] < 4.0.4 [CVE-2016-10705, Jetpack <= 4.0.3 - Multiple Vulnerabilities, Jetpack <= 4.0.3 - Cross-Site Scripting]
- Jetpack – WP Security, Backup, Speed, & Growth [jetpack] < 4.0.3 [CVE-2016-10706, Jetpack 2.0-4.0.2 - Shortcode Stored Cross-Site Scripting (XSS), Jetpack <= 4.0.2 - Cross-Site Scripting]
- Jetpack – WP Security, Backup, Speed, & Growth [jetpack] < 2.9.3 [CVE-2014-0173, WordPress Jetpack Plugin <= 2.9.2 - Security BYPASS, Jetpack <= 2.9.2 - class.jetpack.php XML-RPC Access Control Bypass, Jetpack < 2.9.3 - Security Bypass]
+ 41 more known vulnerabilities
- Jetpack – WP Security, Backup, Speed, & Growth [jetpack] <= 1.1.3 [CVE-2011-4673, WordPress Jetpack Plugin - SQL Injection]
- Jetpack – WP Security, Backup, Speed, & Growth [jetpack] < 7.9.1 [WordPress Jetpack plugin <=7.9 - Shortcode embedding system vulnerability]
- Jetpack – WP Security, Backup, Speed, & Growth [jetpack] < 6.5 [WordPress Jetpack plugin <= 6.4.2 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability]
- Jetpack – WP Security, Backup, Speed, & Growth [jetpack] < 4.0.4 [WordPress Jetpack Plugin <= 4.0.3 - Multiple Vulnerabilities]
- Jetpack – WP Security, Backup, Speed, & Growth [jetpack] < 4.0.3 [WordPress Jetpack Plugin <= 4.0.2 - Stored Cross Site Scripting]
- Jetpack – WP Security, Backup, Speed, & Growth [jetpack] < 3.9.2 [WordPress Jetpack Plugin <= 3.9.1 - Cross Site Scripting]
- Jetpack – WP Security, Backup, Speed, & Growth [jetpack] < 3.7.1 [WordPress Jetpack Plugin <= 3.7.0 - Stored Cross Site Scripting]
- Jetpack – WP Security, Backup, Speed, & Growth [jetpack] < 3.7.1 [WordPress Jetpack Plugin <= 3.7.0 - Information Disclosure]
- Jetpack – WP Security, Backup, Speed, & Growth [jetpack] < 3.4.3 [WordPress Jetpack Plugin <= 3.4.2 - Cross Site Scripting]
- Jetpack – WP Security, Backup, Speed, & Growth [jetpack] < 3.5.3 [WordPress Jetpack Plugin <= 3.5.2 - Cross Site Scripting]
- Jetpack – WP Security, Backup, Speed, & Growth [jetpack] >= 5.1 - <= 7.9 [Jetpack 5.1-7.9 - Vulnerability in Shortcode Embed Code]
- Jetpack – WP Security, Backup, Speed, & Growth [jetpack] < 6.5 [Jetpack <= 6.4.2 - Authenticated Stored Cross-Site Scripting (XSS)]
- Jetpack – WP Security, Backup, Speed, & Growth [jetpack] < 3.9.2 [Jetpack <= 3.9.1 - LaTeX HTML Element XSS]
- Jetpack – WP Security, Backup, Speed, & Growth [jetpack] < 3.7.1 [Jetpack <= 3.7.0 - Information Disclosure]
- Jetpack – WP Security, Backup, Speed, & Growth [jetpack] < 3.7.1 [Jetpack <= 3.7.0 - Stored Cross-Site Scripting (XSS)]
- Jetpack – WP Security, Backup, Speed, & Growth [jetpack] < 3.5.3 [Jetpack <= 3.5.2 - Unauthenticated DOM Cross-Site Scripting (XSS)]
- Jetpack – WP Security, Backup, Speed, & Growth [jetpack] <= 7.9 [Jetpack <= 7.9 - Stored Cross-Site Scripting]
- Jetpack – WP Security, Backup, Speed, & Growth [jetpack] < 7.0.1 [Jetpack < 7.0.1 - Cross-Site Scripting]
- Jetpack – WP Security, Backup, Speed, & Growth [jetpack] < 6.5 [Jetpack <= 6.4.2 - Cross-Site Scripting via post_meta]
- Jetpack – WP Security, Backup, Speed, & Growth [jetpack] < 4.2 [Jetpack – WP Security, Backup, Speed, & Growth < 4.2 - Reflected Cross-Site Scripting]
- Jetpack – WP Security, Backup, Speed, & Growth [jetpack] < 4.2 [Jetpack – WP Security, Backup, Speed, & Growth < 4.2 - CSV Injection]
- Jetpack – WP Security, Backup, Speed, & Growth [jetpack] < 4.2 [Jetpack – WP Security, Backup, Speed, & Growth < 4.2 - Timing Attack]
- Jetpack – WP Security, Backup, Speed, & Growth [jetpack] < 3.9.2 [Jetpack – WP Security, Backup, Speed, & Growth <= 3.9.1 - Cross-Site Scripting via LaTeX markup within HTML elements]
- Jetpack – WP Security, Backup, Speed, & Growth [jetpack] < 3.9.2 [Jetpack – WP Security, Backup, Speed, & Growth <= 3.9.1 - Sensitive Information Disclosure]
- Jetpack – WP Security, Backup, Speed, & Growth [jetpack] < 3.7.2 [Jetpack <= 3.7.1 - Information disclosure]
- Jetpack – WP Security, Backup, Speed, & Growth [jetpack] < 3.7.2 [Jetpack <= 3.7.1 - Stored Cross-Site Scripting]
- Jetpack – WP Security, Backup, Speed, & Growth [jetpack] < 3.5.3 [Jetpack <= 3.5.2 - Cross-Site Scripting]
- Jetpack – WP Security, Backup, Speed, & Growth [jetpack] < 12.1.1 [WordPress Jetpack Plugin <= 12.1 is vulnerable to Broken Access Control]
- Jetpack – WP Security, Backup, Speed, & Growth [jetpack] < 12.1.1 [CVE-2023-2996, Jetpack <= 12.1 - Authenticated (Author+) Arbitrary File Manipulation, Jetpack < 12.1.1 - Author+ Arbitrary File Manipulation via API]
- Jetpack – WP Security, Backup, Speed, & Growth [jetpack] < 12.7 [CVE-2023-47774, WordPress Jetpack Plugin < 12.7 is vulnerable to Clickjacking, Jetpack < 12.7 - Authenticated(Contributor+) Clickjacking via Iframe Injection, Jetpack < 12.7 - Authenticated(Contributor+) Clickjacking via Iframe Injection]
- Jetpack – WP Security, Backup, Speed, & Growth [jetpack] < 12.7 [CVE-2023-47788, WordPress Jetpack Plugin < 12.7 is vulnerable to Broken Access Control, Jetpack <= 12.6.2 - Improper Authorization via WPCom External Media REST endpoints, Jetpack < 12.7 - Improper Authorization via WPCom External Media REST endpoints]
- Jetpack – WP Security, Backup, Speed, & Growth [jetpack] < 12.8-a.3 [CVE-2023-45050, WordPress Jetpack Plugin <= 12.8-a.1 is vulnerable to Cross Site Scripting (XSS), Jetpack <= 12.8-a.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via block attribute, Jetpack < 12.8-a.3 - Contributor+ Stored XSS via block attribute]
- Jetpack – WP Security, Backup, Speed, & Growth [jetpack] < 13.2.1 [Jetpack < 13.2.1 - Contributor+ Stored XSS]
- Jetpack – WP Security, Backup, Speed, & Growth [jetpack] < 13.4 [CVE-2024-4392, Jetpack – WP Security, Backup, Speed, & Growth <= 13.3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via wpvideo Shortcode, WordPress Jetpack Plugin <= 13.3.1 is vulnerable to Cross Site Scripting (XSS)]
- Jetpack – WP Security, Backup, Speed, & Growth [jetpack] < 13.9.1 [CVE-2024-9926, WordPress Jetpack Plugin < 13.9.1 is vulnerable to Broken Access Control]
- Jetpack – WP Security, Backup, Speed, & Growth [jetpack] < 13.9.1 [Jetpack < 13.9.1 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Disclosure]
- Jetpack – WP Security, Backup, Speed, & Growth [jetpack] >= 13.0 - < 14.1 [CVE-2024-10858, WordPress Jetpack Plugin 13.0-14.0 is vulnerable to Cross Site Scripting (XSS), Jetpack 13.0 - 14.0 - Reflected DOM-based Cross-Site Scripting]
- Jetpack – WP Security, Backup, Speed, & Growth [jetpack] < 13.8 [CVE-2024-10076, EUVD-2025-15337, Jetpack <= 13.7 & Jetpack Boost <= 3.4.7 - Authenticated (Contributor+) Stored Cross-Site Scripting]
- Jetpack – WP Security, Backup, Speed, & Growth [jetpack] < 13.8 [CVE-2024-10075, EUVD-2025-15352, Jetpack <= 13.7 - Unauthenticated Arbitrary Block & Shortcode Execution]
- Jetpack – WP Security, Backup, Speed, & Growth [jetpack] == 11.4 [CVE-2023-54332]
- Jetpack – WP Security, Backup, Speed, & Growth [jetpack] <= 9.1 (unfixed) [CVE-2022-50958, EUVD-2022-55979]
Vulnerabilities are matched against the exact installed version when it's known. Always keep the plugin updated to the latest release.
Safer / more established alternatives
- All-in-One WP Migration and Backup — 5000000+ active installs — max PHP <8.0
- Wordfence Security – Firewall, Malware Scan, and Login Security — 5000000+ active installs — max PHP 8.4
- UpdraftPlus: WP Backup & Migration Plugin — 3000000+ active installs — max PHP <8.0
- Duplicator – Backups & Migration Plugin – Cloud Backups, Scheduled Backups, & More — 1000000+ active installs — max PHP <8.0
- ManageWP Worker — 1000000+ active installs
Check your own WordPress site
Run a free passive scan now, or create a free account and install the WP Clinic plugin for a deep scan of your whole hosting account and AI-assisted repair.