Jetpack 3.4.3: Coordinated Security Release

Jetpack 3.4.3 contains a critical security update and you should update your sites and any you help manage as soon as possible.


Sucuri notified us of an issue where improperly escaped URLs were being generated by a number of high-profile WordPress plugins, including Jetpack and Yoast. We’ve worked with the WordPress Security Team to coordinate a release which is being pushed out to all users. By the time we published this post (6pm GMT, April 20, 2015), if you haven’t opted out of auto-updates, your sites will update themselves automatically.

The Vulnerability

The vulnerability Sucuri discovered would allow an attacker to send a WordPress user with administrative rights a link which could execute malicious JavaScript. The vulnerability was introduced in Jetpack 3.0 and to date we have no evidence of this being exploited. However, now that this update is public, it’s more likely that exploits may occur. To avoid a breach, you should update your site as soon as possible.

How to Update

We have prepared and shipped updates to all affected versions of Jetpack. Unless you’ve opted out, your sites should update automatically – please check your sites to confirm that Jetpack plugin has been successfully updated to one of these versions: 3.0.3, 3.1.2, 3.2.2, 3.3.3, or 3.4.3.

If not, please visit the Plugins page in your Dashboard and update Jetpack from there or update all your sites in bulk from

Note: Not all plugins affected by this issue will be auto-updating, some will be releasing updates separately. For that reason, we highly recommend that you make ensure that all your plugins are up-to-date as updates are released over the next few days.

We also recommend updating any other plugins you may have installed to their latest version – not all plugins will be automatically updating (like Jetpack)


As always, we greatly appreciate your continued use and support of Jetpack and we sincerely apologize for the inconvenience this has caused.

We take the security of your sites extremely seriously so please feel free to get in touch with our support team, create a new forum post, or leave a comment on this blog post if you have any concerns or problems updating.

We’d also like to extend our huge thanks to the crew on the WordPress Security Team who worked around the clock – and across timezones and several plugin teams – to coordinate today’s release.

This entry was posted in Releases and tagged , . Bookmark the permalink.

3 Responses to Jetpack 3.4.3: Coordinated Security Release

  1. Richard Weberg says:

    Thanks for the update and keeping us informed, JetPack is a awesome plugin and only wish I had found it sooner!

  2. look says:

    Hi, I desire to subscribe for this web site to get
    newest updates, thus where can i do it please help out.

  • Recent Comments

    Matt on Let’s Get Visual: Five J…
    Jeremy on Jetpack 4.3 and 4.3.1: A faste…
    Jeremy on Jetpack 4.3 and 4.3.1: A faste…
    Jeremy on Jetpack 4.3 and 4.3.1: A faste…
    Jeremy on Jetpack 4.3 and 4.3.1: A faste…
  • Archives

  • Enter your email address to follow this blog and receive notifications of new posts by email.

  • Install Jetpack to see our lineup of features.

    Install Jetpack Now

    Don’t need all Jetpack’s features? No problem. Only activate what you need!

    %d bloggers like this: