Jetpack 4.0.3: Critical Security Update

Explore the benefits of Jetpack

Learn how Jetpack can help you protect, speed up, and grow your WordPress site. Get up to 70% off your first year.

Explore plans
Jetpack 4.0.3 contains a critical security update, and you should update all the sites you manage as soon as possible. You can update through your dashboard, or download Jetpack manually here.


We found a vulnerability in the way that some Jetpack shortcodes are processed. This bug has existed since Jetpack 2.0, released in November 2012. Thank you to Marc-Alexandre Montpas from Sucuri for his research and responsible disclosure of this issue.

Fortunately, we have no evidence of this being used in the wild. However, now that this update is public, it’s just a matter of time before someone attempts to exploit it. To avoid any problems, you should update your site as soon as possible.

We have been working closely with the WordPress security team, which has pushed updates to all impacted versions through core’s auto-update system. If you’ve updated to Jetpack 4.0.3 (or a secure version listed below), you’re in the clear. This security update not only fixes this vulnerability, but also fixes any potential exploits that may have been in place prior to the update. This is why upgrading to a secure version of Jetpack as soon as possible is so important.

If you’ve been using Akismet, you’re protected and have been since this vulnerability was first reported to our security team. Also, any sites using VaultPress 1.8.3 will already have the fix automatically applied to their sites. We still recommend updating Jetpack to ensure your site is protected.

We have prepared and shipped point releases for all twenty-one vulnerable branches of the Jetpack codebase: 2.0.7, 2.1.5, 2.2.8, 2.3.8, 2.4.5, 2.5.3, 2.6.4, 2.7.3, 2.8.3, 2.9.4, 3.0.4, 3.1.3, 3.2.3, 3.3.4, 3.4.4, 3.5.4, 3.6.2, 3.7.3, 3.8.3, 3.9.7, and 4.0.3. Downloads for each branch can be found here.

We have compiled some frequently asked questions (or FAQs) regarding this update with more information. If you need more detailed information about how to update Jetpack to the a secure version, you can follow the steps in our how-to guide.

Finding and fixing bugs is a key part of software development. We can’t promise there will never be another issue like this, but I can promise that when a problem is found we will do everything in our power to protect as many people as possible, as quickly as possible. We care deeply about each and every WordPress user.

Thanks go out to the security teams at both Automattic and WordPress core, the Jetpack support team, and, in particular: Brandon Kraft, Carolyn Sonnek, Dion Hulse, Dominik Schilling, Gary Pendergast, Marc-Alexandre Montpas, Nikolay Bachiyski, Sam Hotchkiss, George Stephanis, and Alexander Concha.

This entry was posted in Releases and tagged , . Bookmark the permalink.

Carolyn S. profile
Carolyn S.

Bacon bacon bacon!

Explore the benefits of Jetpack

Learn how Jetpack can help you protect, speed up, and grow your WordPress site. Get up to 70% off your first year.

Explore plans

Have a question?

Comments are closed for this article, but we're still here to help! Visit the support forum and we'll be happy to answer any questions.

View support forum


  1. Robert Felty says:

    Thanks for the quick fix


  2. Shilpa Thakre says:

    Thanks for these Great facilities and services.

    Thanks a Lot . Thankyou Jetpack


  • Enter your email address to follow this blog and receive news and updates from Jetpack!

    Join 112.5K other subscribers
  • Browse by Topic

  • %d bloggers like this: