Which Jetpack – WP Security, Backup, Speed, & Growth CVEs are tracked?

Jetpack – WP Security, Backup, Speed, & Growth tracked CVEs include CVE-2024-10075, CVE-2023-2996, CVE-2024-10076, CVE-2024-4392, and CVE-2023-45050.

Where should operators start on this Plugin hub?

Start with the priority CVE quick links, then open the full report for affected versions, remediation notes, CVSS vectors, and source references.

Plugin Vulnerability Hub

Plugin 25 known issues Latest disclosed Dec 04, 2024

Jetpack – WP Security, Backup, Speed, & Growth Vulnerabilities

Q: How many Jetpack – WP Security, Backup, Speed, & Growth vulnerabilities have patch guidance?

25 of 25 tracked Jetpack – WP Security, Backup, Speed, & Growth records include a published patch path.

Review known vulnerability records for the WordPress plugin Jetpack – WP Security, Backup, Speed, & Growth (`jetpack`), including severity, CVE references, affected versions, and patch status.

Recent tracked CVEs on this page include CVE-2024-10858, CVE-2024-10076 and CVE-2024-10075, so operators can jump from disclosure to patch validation without scanning the full feed first.

View on WordPress.org Back to Feed

Known Records

High or Critical

Patch Coverage

100%

Last Updated

May 27, 2025

Priority CVE Quick Links

Fast paths into Jetpack – WP Security, Backup, Speed, & Growth CVE reports

Start with the highest-signal CVE records for this WordPress plugin before scanning the full vulnerability feed.

Indexed CVEs

CVE-2024-10075 Medium 13.8

CVE-2024-10075 Jetpack – WP Security, Backup, Speed, & Growth Authorization Bypass

Jetpack <= 13.7 - Unauthenticated Arbitrary Block & Shortcode Execution

CVE-2023-2996 Medium 10.0.1

CVE-2023-2996 Jetpack – WP Security, Backup, Speed, & Growth Vulnerability

Jetpack <= 12.1 - Authenticated (Author+) Arbitrary File Manipulation

CVE-2024-10076 Medium 13.8

CVE-2024-10076 Jetpack – WP Security, Backup, Speed, & Growth Stored Cross-Site Scripting

Jetpack <= 13.7 & Jetpack Boost <= 3.4.7 - Authenticated (Contributor+) Stored Cross-Site Scripting

CVE-2024-4392 Medium 13.4

CVE-2024-4392 Jetpack – WP Security, Backup, Speed, & Growth Stored Cross-Site Scripting

Jetpack – WP Security, Backup, Speed, & Growth <= 13.3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via wpvideo Shortcode

CVE-2023-45050 Medium 12.8-a.3

CVE-2023-45050 Jetpack – WP Security, Backup, Speed, & Growth Stored Cross-Site Scripting

Jetpack <= 12.8-a.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via block attribute

CVE-2024-10858 Medium 14.1

CVE-2024-10858 Jetpack – WP Security, Backup, Speed, & Growth Cross-Site Scripting

Jetpack 13.0 - 14.0 - Reflected DOM-based Cross-Site Scripting

CVE-2016-10706 Medium 4.0.3

CVE-2016-10706 Jetpack – WP Security, Backup, Speed, & Growth Cross-Site Scripting

Jetpack <= 4.0.2 - Cross-Site Scripting

CVE-2016-10705 Medium 4.0.4

CVE-2016-10705 Jetpack – WP Security, Backup, Speed, & Growth Cross-Site Scripting

Jetpack <= 4.0.3 - Cross-Site Scripting

Coverage Snapshot

What this page helps you verify fast

This hub clusters every indexed record for Jetpack – WP Security, Backup, Speed, & Growth so operators can confirm whether a disclosed issue maps to the installed slug, version range, and patch path.

Patch Visibility

25 records include a published patch path, leaving 0 with no listed safe release yet.

Severity Mix

2 critical and 2 high severity findings.

Recent CVEs

CVE-2024-10858, CVE-2024-10076 and CVE-2024-10075

Reference Workflow

Jump from the hub into the full report when you need remediation notes, exploit context, CVSS vectors, or source references.

Triage First

Open the records most likely to drive action

These recent records surface the CVE strings, patch cues, and direct report links most operators need first.

CVE-2024-10858 Medium Patch path listed

CVE-2024-10858: Jetpack 13.0 - 14.0 - Reflected DOM-based Cross-Site Scripting

The Jetpack – WP Security, Backup, Speed, & Growth plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via 'postmessage' in versions 13.0 to 14.0 due to insufficient input s...

Published

Dec 04, 2024

Patch Status

14.1

Open CVE-2024-10858 Report

CVE-2024-10076 Medium Patch path listed

CVE-2024-10076: Jetpack <= 13.7 & Jetpack Boost <= 3.4.7 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Jetpack plugin for WordPress, versions less than and equal to 13.7, and the Jetpack Boost plugin for WordPress, versions less than and equal to 3.4.7, are vulnerable to Stored Cross-Site...

Published

Oct 17, 2024

Patch Status

13.8

Open CVE-2024-10076 Report

CVE-2024-10075 Medium Patch path listed

CVE-2024-10075: Jetpack <= 13.7 - Unauthenticated Arbitrary Block & Shortcode Execution

The The Jetpack – WP Security, Backup, Speed, & Growth plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 13.7. This is due to the soft...

Published

Oct 17, 2024

Patch Status

13.8

Open CVE-2024-10075 Report

Known Vulnerabilities

Reports for Jetpack – WP Security, Backup, Speed, & Growth

Sorted by latest disclosure date so newly published issues surface first.

Plugin Medium Patched: Yes CVE-2024-10858

CVE-2024-10858: Jetpack 13.0 - 14.0 - Reflected DOM-based Cross-Site Scripting

The Jetpack – WP Security, Backup, Speed, & Growth plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via 'postmessage' in versions 13.0 to 14.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to i...

Published

Dec 04, 2024

Patched Release

14.1

Affected Versions

13.0 through 14.0

Next Step

Update to 14.1 or newer if supported.

Open CVE-2024-10858 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2024-10076

CVE-2024-10076: Jetpack <= 13.7 & Jetpack Boost <= 3.4.7 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Jetpack plugin for WordPress, versions less than and equal to 13.7, and the Jetpack Boost plugin for WordPress, versions less than and equal to 3.4.7, are vulnerable to Stored Cross-Site Scripting via the Site Accelerator feature due to insufficient input sanitization and out...

Published

Oct 17, 2024

Patched Release

13.8

Affected Versions

Versions up to 13.7

Next Step

Update to 13.8 or newer if supported.

Open CVE-2024-10076 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2024-10075

CVE-2024-10075: Jetpack <= 13.7 - Unauthenticated Arbitrary Block & Shortcode Execution

The The Jetpack – WP Security, Backup, Speed, & Growth plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 13.7. This is due to the software allowing users to execute an action that does not properly validate a value before ru...

Published

Oct 17, 2024

Patched Release

13.8

Affected Versions

Versions up to 13.7

Next Step

Update to 13.8 or newer if supported.

Open CVE-2024-10075 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2024-9926

CVE-2024-9926: Jetpack < 13.9.1 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Disclosure

The Jetpack – WP Security, Backup, Speed, & Growth plugin for WordPress is vulnerable to unauthorized access of data due to missing capability checks in the Contact_Form_Endpoint class in various versions version up to, but not including, 13.9.1. This makes it possible for authen...

Published

Oct 14, 2024

Patched Release

10.0.2

Affected Versions

10.0 through 10.0.1

Next Step

Update to 10.0.2 or newer if supported.

Open CVE-2024-9926 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2024-4392

CVE-2024-4392: Jetpack – WP Security, Backup, Speed, & Growth <= 13.3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via wpvideo Shortcode

The Jetpack – WP Security, Backup, Speed, & Growth plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wpvideo shortcode in all versions up to, and including, 13.3.1 due to insufficient input sanitization and output escaping on user supplied attribu...

Published

May 13, 2024

Patched Release

13.4

Affected Versions

Versions up to 13.3.1

Next Step

Update to 13.4 or newer if supported.

Open CVE-2024-4392 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2023-47788

CVE-2023-47788: Jetpack <= 12.6.2 - Improper Authorization via WPCom External Media REST endpoints

The Jetpack plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the WPCom External Media REST permission_callback function in versions up to and including 12.6.2. This makes it possible for authenticated attackers, with con...

Published

Nov 16, 2023

Patched Release

12.7

Affected Versions

Versions before 12.7

Next Step

Update to 12.7 or newer if supported.

Open CVE-2023-47788 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2023-47774

CVE-2023-47774: Jetpack < 12.7 - Authenticated(Contributor+) Clickjacking via Iframe Injection

The Jetpack – WP Security, Backup, Speed, & Growth plugin for WordPress is vulnerable to Clickjacking via iframe injection due to an unknown parameter in all versions up to and including 12.6.2 due to insufficient input sanitization and output escaping. This makes it possible for...

Published

Nov 16, 2023

Patched Release

12.7

Affected Versions

Versions before 12.7

Next Step

Update to 12.7 or newer if supported.

Open CVE-2023-47774 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2023-45050

CVE-2023-45050: Jetpack <= 12.8-a.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via block attribute

The Jetpack plugin for WordPress is vulnerable to Stored Cross-Site Scripting via block attribute in versions up to, and including, 12.8-a.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level acce...

Published

Nov 16, 2023

Patched Release

12.8-a.3

Affected Versions

Versions up to 12.8-a.1

Next Step

Update to 12.8-a.3 or newer if supported.

Open CVE-2023-45050 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2023-2996

CVE-2023-2996: Jetpack <= 12.1 - Authenticated (Author+) Arbitrary File Manipulation

The Jetpack plugin for WordPress is vulnerable to arbitrary file manipulation in versions up to, and including, 12.1. This is due to insufficient validation on data being supplied to the media API endpoint. This makes it possible for authenticated attackers, with author-level per...

Published

May 30, 2023

Patched Release

10.0.1

Affected Versions

10.0 through 10.0

Next Step

Update to 10.0.1 or newer if supported.

Open CVE-2023-2996 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2021-24374

CVE-2021-24374: JetPack <= 9.7 - Information Disclosure

The Jetpack Carousel module of the JetPack WordPress plugin before 9.8 allows users to create a "carousel" type image gallery and allows users to comment on the images. A security vulnerability was found within the Jetpack Carousel module by nguyenhg_vcs that allowed the comments...

Published

Jun 01, 2021

Patched Release

2.0.8

Affected Versions

2.0 up to before 2.0.8

Next Step

Update to 2.0.8 or newer if supported.

Open CVE-2021-24374 Report Open CVE Reference

Plugin Medium Patched: Yes

Jetpack <= 7.9 - Stored Cross-Site Scripting

The Jetpack plugin for WordPress is vulnerable to Stored Cross-Site Scripting via a shortcode in versions up to, and including, 7.9. This makes it possible for medium-level authenticated attackers to inject arbitrary web scripts in administrative pages and posts that execute when...

Published

Oct 19, 2019

Patched Release

5.1.1

Affected Versions

Versions before 5.1

Next Step

Update to 5.1.1 or newer if supported.

Open Full Report

Plugin Medium Patched: Yes

Jetpack < 7.0.1 - Cross-Site Scripting

The Jetpack plugin for WordPress is vulnerable to Cross-Site Scripting in versions up to, and including, 7.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if t...

Published

Feb 14, 2019

Patched Release

7.0.1

Affected Versions

Versions up to 7.0

Next Step

Update to 7.0.1 or newer if supported.

Open Full Report