Jetpack 7.9.1: Maintenance and Security Release

Jetpack 7.9.1 contains a critical security update. You should update all sites that you administer as soon as possible.

We found a vulnerability in the way Jetpack processed embed code that has existed since Jetpack 5.1, released in July 2017. Thank you to Adham Sadaqah for disclosing this issue to us in a responsible manner.

We have no evidence that this vulnerability has been exploited in the wild. However, now that the update has been released, it is only a matter of time before someone tries to take advantage of this vulnerability.

In addition to the security release, Jetpack 7.9.1 fixes a few other minor issues, including improved compatibility with Twenty Twenty, the new default theme for WordPress.

In addition to Jetpack 7.9.1, we worked with the Security Team to release patched versions of every version of Jetpack since 5.1. Most websites have been or will soon be automatically updated to a secured version. Versions released today include 5.1.1, 5.2.2, 5.3.1, 5.4.1, 5.5.2, 5.6.2, 5.7.2, 5.8.1, 5.9.1, 6.0.1, 6.1.2, 6.2.2, 6.3.4, 6.4.3, 6.5.1, 6.6.2, 6.7.1, 6.8.2, 6.9.1, 7.0.2, 7.1.2, 7.2.2, 7.3.2, 7.4.2, 7.5.4, 7.6.1, 7.7.3, 7.8.1, 7.9.1. If you are running any of these versions, your website is not vulnerable to this issue. But, if you’re not running the latest and greatest—7.9.1—your site is missing other security enhancements!

This entry was posted in Releases, Security and tagged , , , . Bookmark the permalink.

Kraft profile

Texan by birth. Engineering Group Lead at Automattic working on Jetpack.

Explore the benefits of Jetpack

Learn how Jetpack can help you protect, speed up, and grow your WordPress site.

Get up to 50% off your first year.

Compare plans

Have a question?

Comments are closed for this article, but we're still here to help! Visit the support forum and we'll be happy to answer any questions.

View support forum


  1. Mohamed Oka says:

    Thanks Jetpack team.


  2. HZ says:

    What’s up with Jetpack 7.1.1 – is it vulnerable? You haven’t mentioned it above.

    And another Question: Where is the information for widget visibility stored?


    • Kraft says:

      Jetpack 7.1 and Jetpack 7.1.1 are vulnerable. Your site would be offered or auto-updated to Jetpack 7.1.2 to patch it.

      Widget visibilty is stored within the widget instance itself along with the widget’s own data.


      • dandalpiaz says:

        Is Jetpack 7.1.2 available for WordPress 4.9.12? I’m not seeing it as an available update in the WordPress dashboard or from WP-CLI when checking for updates.

        It looks like the minimum supported version should be WordPress 4.9, Any idea why the update might not be showing up as available? (sorry if this is a double post, not sure if my first comment got through)

        Liked by 1 person

      • Kraft says:

        Thanks for asking. I’ve checked with the team, which handles the system that offers upgrades to sites, and he made a tweak which should improve things for older versions of WordPress. You should see the upgrade soon if you still weren’t. Thanks for bringing this up.

        Liked by 2 people

  3. Claudia Xu says:

    Hi, we just received this email from WordPress says that ” We are reaching out to you today because we identified your site are a vulnerable version of the Jetpack plugin.

    According to the author of this plugin, this issue has been patched in a recent update to the plugin.”

    Is there anything we can do to fix it?



    • Kraft says:

      Hi Claudia,

      Just update to the latest version of Jetpack–the full list of patched versions is in the post. Most sites would have been auto-updated to one of the above versions, but if your site is on a different version, please update.


      • Claudia Xu says:

        Thank you for the quick reply! We do have the auto-update plugin, and we are using the latest version. But WordPress seems saying that the issue is causing by the recent update of the plugin. Maybe I get this wrong?


      • Kraft says:

        I believe you’re referring to an e-mail from WP Engine, your hosting provider. “this issue has been patched in a recent update to the plugin” is saying that the issue has been fixed in a recent update, so be sure to update to that version.


      • Claudia Xu says:

        Got it, thank you so much!


  4. Juan Carlos says:

    Hi! I’m on v6.5 but I don’t see the update to 6.5.1 (I need to be kept in that brach because wp4.9.1 and can’t update right now)
    What should i do to force it to update from 6.5 to 6.5.1? Thanks


  5. mspacecreative says:

    I’ve just updated the plugin and noticed that the dashboard seems to be missing its stylesheet. All links and content is displayed without any styling. Is this an issue with the plugin itself? I can’t re-produce the issue with the previous version I have install on a staging site, which is 7.8.1, which leads me to believe it’s an issue with the plugin and not my site files creating a conflict.


    • Kraft says:

      I haven’t seen or heard of that happening yet. Could you reach out via with as much detail as possible regarding which styles appear off.

      WordPress 5.3, also released recently, did update the admin styles too so there will be visible differences on WP 5.3 too.


      • mspacecreative says:

        Thanks for the reply. I probably spoke too soon, as it appears to be an issue with the latest WP version, as you suggested, as I see now that there are styling issues with other plugins I have installed as well.


  • Enter your email address to follow this blog and receive news and updates from Jetpack!

    Join 112,029 other subscribers
  • Browse by Topic

  • %d bloggers like this: