Does Fetch JFT have any unpatched vulnerabilities?

No. All known vulnerabilities in Fetch JFT have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Fetch JFT compatible with WordPress 6.8.5?

According to WordPress.org data, Fetch JFT 1.9.1 has been tested up to WordPress 6.8.5. Check the plugin's changelog for the latest compatibility information.

Is Fetch JFT compatible with PHP 7.3+?

Fetch JFT requires PHP 7.3 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is Fetch JFT updated?

Fetch JFT was last updated on Jun 6, 2025. Frequent updates are generally a positive security signal.

What is Fetch JFT's security score?

Fetch JFT has a WP-Safety security score of 99/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Fetch JFT Security & Risk Analysis

wordpress.org/plugins/fetch-jft

Fetch JFT is a plugin that pulls the Just For Today from jftna.org and puts it on your page or post.

100 active installs v1.9.1 PHP 7.3+ WP + Updated Jun 6, 2025

jftjust-for-todaynanarcotics-anonymous

A · Safe

CVEs total1

Unpatched0

Last CVEMay 28, 2024

Plugin page Download

Safety Verdict

Is Fetch JFT Safe to Use in 2026?

Generally Safe

Score 99/100

Fetch JFT has a strong security track record. Known vulnerabilities have been patched promptly.

1 known CVELast CVE: May 28, 2024Updated 10mo ago

Risk Assessment

The "fetch-jft" plugin v1.9.1 exhibits a mixed security posture. On the positive side, the static analysis reveals a strong adherence to secure coding practices with 100% output escaping and no identified dangerous functions, file operations, or external HTTP requests. The limited attack surface, consisting of a single shortcode with no explicit auth checks, and the absence of taint analysis findings are also encouraging.

However, significant concerns arise from the vulnerability history. The presence of a previously disclosed medium-severity Cross-Site Scripting (XSS) vulnerability, even though currently patched, indicates a historical weakness in input sanitization or output encoding. The lack of nonce checks and capability checks for the identified entry points (shortcode) is a notable oversight, as these are fundamental security mechanisms for preventing unauthorized actions and ensuring input integrity.

While the current version shows improvements, the past XSS vulnerability and the absence of built-in authorization checks for its shortcode suggest potential areas for improvement. The plugin's security is heavily reliant on the fact that its sole entry point (shortcode) likely doesn't handle untrusted user input in a way that could immediately lead to issues, or that the XSS was fixed internally. A cautious approach is recommended, with ongoing monitoring for future vulnerabilities.

Key Concerns

Medium severity XSS vulnerability historically
No nonce checks on entry points
No capability checks on entry points
SQL queries not always prepared

Vulnerabilities

Fetch JFT Security Vulnerabilities

CVEs by Year

1 CVE in 2024

2024

Patched Has unpatched

Severity Breakdown

Medium

1 total CVE

CVE-2024-4419medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Fetch JFT <= 1.8.3 - Authenticated (Administrator+) Stored Cross-Site Scripting

May 28, 2024 Patched in 1.8.4 (1d)

Code Analysis

Analyzed Mar 16, 2026

Fetch JFT Code Analysis

Dangerous Functions

Raw SQL Queries

2 prepared

Unescaped Output

37 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

50% prepared4 total queries

Output Escaping

100% escaped37 total outputs

Attack Surface

Fetch JFT Attack Surface

Entry Points1

Unprotected0

Shortcodes 1

[jft] fetch-jft-plugin.php:44

WordPress Hooks 7

actioninitfetch-jft-plugin.php:35

actionadmin_menufetch-jft-plugin.php:41

actionwp_enqueue_scriptsfetch-jft-plugin.php:43

actionwidgets_initfetch-jft-plugin.php:45

actionadmin_initsrc\Dashboard.php:12

actionadmin_menusrc\Dashboard.php:13

actionadmin_enqueue_scriptssrc\Dashboard.php:14

Maintenance & Trust

Fetch JFT Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5

Last updatedJun 6, 2025

PHP min version7.3

Downloads7K

Community Trust

Rating90/100

Number of ratings2

Active installs100

Alternatives

Fetch JFT Alternatives

Hosted JFT

hosted-jft

Hosted JFT is a plugin that allows an NA Community to host their own translated version of the JFT. Add the [hosted_jft]

0 No CVEs

Bread

bread

100

A web-based tool that creates, maintains and generates a PDF meeting list from BMLT.

300 No CVEs

crouton

100

crouton provides a UI and more for view recovery meetings as stored in a Basic Meeting List Toolbox (BMLT) database.

300 No CVEs

Fetch Meditation

fetch-meditation

100

Fetch Meditation is a plugin that pulls either the Spiritual Principle A Day or Just For Today and puts it on your page or post.

70 No CVEs

List Locations BMLT

list-locations-bmlt

100

List Locations BMLT is a plugin that returns all unique towns or counties from your BMLT server for a given service body on your site.

70 No CVEs

Developer Profile

Fetch JFT Developer Profile

pjaudiomv

10 plugins · 370 total installs

trust score

Avg Security Score

98/100

Avg Patch Time

1 days

View full developer profile

Detection Fingerprints

How We Detect Fetch JFT

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/fetch-jft/css/jft.css

Script Paths

/wp-content/plugins/fetch-jft/js/jft.js

Version Parameters

fetch-jft/css/jft.cssfetch-jft/js/jft.js

HTML / DOM Fingerprints

Data Attributes

id="language-container"id="layout-container"

Shortcode Output

[jft]

FAQ