Automattic Jetpack
16 CVEs affecting Automattic Jetpack. Latest disclosed: 2026-01-13. Critical: 0, High: 1.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2023-2996 | High | 8.8 | 2023-06-27 | The Jetpack WordPress plugin before 12.1.1 does not validate uploaded files, allowing users with author roles or above to manipulate existing files on the site… |
CVE-2023-45050 | Medium | 6.5 | 2023-11-30 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Automattic Jetpack – WP Security, Backup, Speed, & Growth… |
CVE-2024-4392 | Medium | 6.4 | 2024-05-14 | The Jetpack – WP Security, Backup, Speed, & Growth plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wpvideo shortcode in all… |
CVE-2023-54332 | Medium | 6.1 | 2026-01-13 | Jetpack 11.4 contains a cross-site scripting vulnerability in the contact form module that allows attackers to inject malicious scripts through the post_id par… |
CVE-2024-10858 | Medium | 6.1 | 2024-12-25 | The Jetpack WordPress plugin before 14.1 does not properly checks the postmessage origin in its 13.x versions, allowing it to be bypassed and leading to DOM-X… |
CVE-2015-9359 | Medium | 6.1 | 2019-08-28 | The Jetpack plugin before 3.4.3 for WordPress has XSS via add_query_arg() and remove_query_arg(). |
CVE-2016-10706 | Medium | 6.1 | 2018-01-12 | The Jetpack plugin before 4.0.3 for WordPress has XSS via a crafted Vimeo link. |
CVE-2016-10705 | Medium | 6.1 | 2018-01-12 | The Jetpack plugin before 4.0.4 for WordPress has XSS via the Likes module. |
CVE-2024-10076 | Medium | 5.9 | 2025-05-15 | The Jetpack WordPress plugin before 13.8, Jetpack Boost WordPress plugin before 3.4.8 use regexes in the Site Accelerator features when switching image URLs… |
CVE-2024-10075 | Medium | 5.6 | 2025-05-15 | The Jetpack WordPress plugin before 13.8 does not ensure that the post created by the Contact Form is only accessible to authorised users, which could allow u… |
CVE-2023-47774 | Medium | 5.4 | 2024-04-24 | Improper Restriction of Rendered UI Layers or Frames vulnerability in Automattic Jetpack allows Clickjacking.This issue affects Jetpack: from n/a before 12.7. |
CVE-2021-24374 | Medium | 5.3 | 2021-06-21 | The Jetpack Carousel module of the JetPack WordPress plugin before 9.8 allows users to create a "carousel" type image gallery and allows users to comment on th… |
CVE-2024-9926 | Medium | 4.3 | 2024-11-07 | The Jetpack WordPress plugin does not have proper authorisation in one of its REST endpoint, allowing any authenticated users, such as subscriber to read arbit… |
CVE-2023-47788 | Medium | 4.3 | 2024-06-19 | Missing Authorization vulnerability in Automattic Jetpack.This issue affects Jetpack: from n/a before 12.7. |
CVE-2014-0173 | | 2014-04-22 | The Jetpack plugin before 1.9 before 1.9.4, 2.0.x before 2.0.9, 2.1.x before 2.1.4, 2.2.x before 2.2.7, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2… | |
CVE-2011-4673 | | 2011-12-02 | SQL injection vulnerability in modules/sharedaddy.php in the Jetpack plugin for WordPress allows remote attackers to execute arbitrary SQL commands via the id… |