Automattic Jetpack Crm
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Automattic Jetpack Crm.
By the Year
In 2026 there have been 1 vulnerability in Automattic Jetpack Crm with an average score of 7.5 out of ten. Jetpack Crm did not have any published security vulnerabilities last year. That is, 1 more vulnerability have already been reported in 2026 as compared to last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 1 | 7.50 |
| 2025 | 0 | 0.00 |
| 2024 | 0 | 0.00 |
| 2023 | 3 | 5.90 |
| 2022 | 1 | 4.80 |
It may take a day or so for new Jetpack Crm vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Automattic Jetpack Crm Security Vulnerabilities
Jetpack CRM <=6.7.0 LFI via Improper Filename Control
CVE-2026-22356
7.5 - High
- February 20, 2026
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Automattic Jetpack CRM zero-bs-crm allows PHP Local File Inclusion.This issue affects Jetpack CRM: from n/a through <= 6.7.0.
Remote file include
Jetpack CRM WP plugin 5.3.1 PHAR deserialization CVE-2022-3342
CVE-2022-3342
7.5 - High
- October 20, 2023
The Jetpack CRM plugin for WordPress is vulnerable to PHAR deserialization via the zbscrmcsvimpf parameter in the 'zeroBSCRM_CSVImporterLitehtml_app' function in versions up to, and including, 5.3.1. While the function performs a nonce check, steps 2 and 3 of the check do not take any action upon a failed check. These steps then perform a 'file_exists' check on the value of 'zbscrmcsvimpf'. If a phar:// archive is supplied, its contents will be deserialized and an object injected in the execution stream. This allows an unauthenticated attacker to obtain object injection if they are able to upload a phar archive (for instance if the site supports image uploads) and then trick an administrator into performing an action, such as clicking a link.
Marshaling, Unmarshaling
Stored XSS in Jetpack CRM Plugin v<=5.4.4 (admin+)
CVE-2023-27429
4.8 - Medium
- June 21, 2023
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Automattic - Jetpack CRM team Jetpack CRM plugin <= 5.4.4 versions.
XSS
Jetpack CRM WP Plugin 5.5before: Unvalidated Shortcode XSS Vulnerability
CVE-2022-4497
5.4 - Medium
- January 09, 2023
The Jetpack CRM WordPress plugin before 5.5 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins
XSS
XSS in Jetpack CRM WordPress Plugin < 5.4.3 (High-Privilege XSS)
CVE-2022-3919
4.8 - Medium
- December 12, 2022
The Jetpack CRM WordPress plugin before 5.4.3 does not sanitise and escape its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
XSS
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Automattic Jetpack Crm or by Automattic? Click the Watch button to subscribe.
