Does Jetpack VaultPress have any unpatched vulnerabilities?

No. All known vulnerabilities in Jetpack VaultPress have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Jetpack VaultPress compatible with WordPress 6.9.4?

According to WordPress.org data, Jetpack VaultPress 4.0.6 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

Is Jetpack VaultPress compatible with PHP 7.2+?

Jetpack VaultPress requires PHP 7.2 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is Jetpack VaultPress updated?

Jetpack VaultPress was last updated on Nov 21, 2025. Frequent updates are generally a positive security signal.

What is Jetpack VaultPress's security score?

Jetpack VaultPress has a WP-Safety security score of 97/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Jetpack VaultPress Security & Risk Analysis

wordpress.org/plugins/vaultpress

(DEPRECATED: Please install "Jetpack VaultPress Backup" instead) Jetpack VaultPress offers real-time backups, one-click restores, and premiu …

10K active installs v4.0.6 PHP 7.2+ WP 5.2+ Updated Nov 21, 2025

archiveback-upmalwaresecurityvirus

A · Safe

CVEs total2

Unpatched0

Last CVESep 16, 2017

Plugin page Download

Safety Verdict

Is Jetpack VaultPress Safe to Use in 2026?

Generally Safe

Score 97/100

Jetpack VaultPress has a strong security track record. Known vulnerabilities have been patched promptly.

2 known CVEsLast CVE: Sep 16, 2017Updated 4mo ago

Risk Assessment

The VaultPress plugin v4.0.6 exhibits a mixed security posture. On one hand, it demonstrates good security practices with a low attack surface, with all identified entry points protected by authentication checks. The high percentage of prepared statements in SQL queries and properly escaped output are also positive indicators. However, several concerns arise from the static analysis and vulnerability history. The presence of dangerous functions like 'exec' and 'unserialize', coupled with taint analysis revealing flows with unsanitized paths, is a significant red flag. While no critical taint flows were found, the two high severity flows warrant attention. The plugin's history of two critical Common Vulnerabilities and Exploits (CVEs), specifically related to code injection, further amplifies these concerns, suggesting a recurring vulnerability pattern despite the last known vulnerability being in 2017. The plugin's strengths lie in its controlled entry points and output handling, but the potential for code execution and insecure deserialization due to dangerous functions and unsanitized data flows presents a notable risk.

Key Concerns

High severity taint flows with unsanitized paths
Presence of dangerous functions (exec, unserialize)
Historical critical CVEs
Historical high CVEs
Taint analysis shows unsanitized paths

Vulnerabilities

Jetpack VaultPress Security Vulnerabilities

CVEs by Year

2 CVEs in 2017

2017

Patched Has unpatched

Severity Breakdown

Critical

High

2 total CVEs

WF-f71f2096-e4c9-406a-a4e5-0006b380fbaa-vaultpresscritical · 9.8Improper Control of Generation of Code ('Code Injection')

VaultPress <=1.9 - Remote Code Execution

Sep 16, 2017 Patched in 1.9.1 (2320d)

WF-f321b8f6-0712-4932-b861-b208debb368f-vaultpresshigh · 8.1Improper Control of Generation of Code ('Code Injection')

VaultPress <= 1.8.6 - Remote Code Execution

Mar 1, 2017 Patched in 1.8.7 (2519d)

Code Analysis

Analyzed Mar 16, 2026

Jetpack VaultPress Code Analysis

Dangerous Functions

Raw SQL Queries

17 prepared

Unescaped Output

31 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Dangerous Functions Found

execif ( function_exists( 'exec' ) && ( $mysql = exec( 'which mysql' ) ) ) {class.vaultpress-database.php:362

execexec( sprintf( '%s %s', escapeshellcmd( $mysql ), vsprintf( '-A --default-character-set=%s -u%s -p%sclass.vaultpress-database.php:365

execexec( sprintf( '%s %s', escapeshellcmd( $method_bin ), escapeshellarg( $file ) ), $out );class.vaultpress-filesystem.php:86

unserialize$messages = unserialize( $messages );vaultpress.php:446

unserialize$data = @unserialize( wp_remote_retrieve_body( $r ) );vaultpress.php:1503

unserializeforeach( unserialize( $_POST['pings'] ) as $ping ) {vaultpress.php:1861

unserialize$this->response( $bdb->diff( unserialize( base64_decode( $signatures ) ) ) );vaultpress.php:2085

unserialize$this->response( $bdb->count( unserialize( $columns ) ) );vaultpress.php:2088

unserialize$this->response( $bdb->get_cols( unserialize( $columns ), $limit, $offset, $where ) );vaultpress.php:2091

SQL Query Safety

68% prepared25 total queries

Output Escaping

89% escaped35 total outputs

Data Flows

3 unsanitized

Data Flow Analysis

3 flows3 with unsanitized paths

response (vaultpress.php:2542)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

Jetpack VaultPress Attack Surface

Entry Points1

Unprotected0

AJAX Handlers 1

authwp_ajax_aioseop_ajax_save_metaclass.vaultpress-hotfixes.php:13

WordPress Hooks 93

filteroption_new_admin_emailclass.vaultpress-hotfixes.php:8

filterget_pagenum_linkclass.vaultpress-hotfixes.php:10

actioninitclass.vaultpress-hotfixes.php:16

actionvp_scan_sitecron-tasks.php:55

filtercron_schedulescron-tasks.php:56

actionvp_scan_next_batchcron-tasks.php:57

filtermy_jetpack_red_bubble_notification_slugsvaultpress.php:44

actionadmin_noticesvaultpress.php:77

actionnetwork_admin_noticesvaultpress.php:358

actionjetpack_admin_menuvaultpress.php:386

actionadmin_print_stylesvaultpress.php:399

actioninitvaultpress.php:2864

filterjetpack_options_whitelistvaultpress.php:2865

actionadmin_enqueue_scriptsvaultpress.php:2868

actionadmin_initvaultpress.php:2872

actionadmin_menuvaultpress.php:2873

actionadmin_headvaultpress.php:2874

actionadmin_bar_menuvaultpress.php:2878

actiondelete_commentvaultpress.php:2881

actionwp_set_comment_statusvaultpress.php:2882

actiontrashed_commentvaultpress.php:2883

actionuntrashed_commentvaultpress.php:2884

actionwp_insert_commentvaultpress.php:2885

actioncomment_postvaultpress.php:2886

actionedit_commentvaultpress.php:2887

actionadded_comment_metavaultpress.php:2890

actionupdated_comment_metavaultpress.php:2891

actiondeleted_comment_metavaultpress.php:2892

actionuser_registervaultpress.php:2896

actionpassword_resetvaultpress.php:2897

actionprofile_updatevaultpress.php:2898

actionuser_registervaultpress.php:2899

actiondeleted_uservaultpress.php:2900

actionadded_usermetavaultpress.php:2906

actionupdate_usermetavaultpress.php:2907

actiondelete_usermetavaultpress.php:2908

actionadded_user_metavaultpress.php:2910

actionupdate_user_metavaultpress.php:2911

actiondelete_user_metavaultpress.php:2912

actiondelete_postvaultpress.php:2916

actiontrash_postvaultpress.php:2917

actionuntrash_postvaultpress.php:2918

actionedit_postvaultpress.php:2919

actionsave_postvaultpress.php:2920

actionwp_insert_postvaultpress.php:2921

actionedit_attachmentvaultpress.php:2922

actionadd_attachmentvaultpress.php:2923

actiondelete_attachmentvaultpress.php:2924

actionprivate_to_publishvaultpress.php:2925

actionwp_restore_post_revisionvaultpress.php:2926

actionadded_post_metavaultpress.php:2929

actionupdate_post_metavaultpress.php:2930

actionupdated_post_metavaultpress.php:2931

actiondelete_post_metavaultpress.php:2932

actiondeleted_post_metavaultpress.php:2933

actionadded_postmetavaultpress.php:2934

actionupdate_postmetavaultpress.php:2935

actiondelete_postmetavaultpress.php:2936

actionedit_linkvaultpress.php:2939

actionadd_linkvaultpress.php:2940

actiondelete_linkvaultpress.php:2941

actioncreated_termvaultpress.php:2944

actionedited_termsvaultpress.php:2945

actiondelete_termvaultpress.php:2946

actionedit_term_taxonomyvaultpress.php:2947

actiondelete_term_taxonomyvaultpress.php:2948

actionedit_term_taxonomiesvaultpress.php:2949

actionadd_term_relationshipvaultpress.php:2950

actiondelete_term_relationshipsvaultpress.php:2951

actionset_object_termsvaultpress.php:2952

actionswitch_themevaultpress.php:2956

actionactivate_pluginvaultpress.php:2957

actiondeactivate_pluginvaultpress.php:2958

actionwp_handle_uploadvaultpress.php:2960

actiondeleted_optionvaultpress.php:2963

actionupdated_optionvaultpress.php:2964

actionadded_optionvaultpress.php:2965

actionwoocommerce_tax_rate_deletedvaultpress.php:2972

actionwoocommerce_tax_rate_updatedvaultpress.php:2973

actionwoocommerce_tax_rate_addedvaultpress.php:2974

actionwoocommerce_new_order_itemvaultpress.php:2976

actionwoocommerce_update_order_itemvaultpress.php:2977

actionwoocommerce_delete_order_itemvaultpress.php:2978

actionadded_order_item_metavaultpress.php:2980

actionupdated_order_item_metavaultpress.php:2981

actiondeleted_order_item_metavaultpress.php:2982

actionwoocommerce_attribute_addedvaultpress.php:2984

actionwoocommerce_attribute_updatedvaultpress.php:2985

actionwoocommerce_attribute_deletedvaultpress.php:2986

actionlogin_formvaultpress.php:2992

filterauthenticatevaultpress.php:2993

actionshutdownvaultpress.php:2997

filterpre_update_option_active_pluginsvaultpress.php:3000

Scheduled Events 2

vp_scan_site

vp_scan_next_batch

Maintenance & Trust

Jetpack VaultPress Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedNov 21, 2025

PHP min version7.2

Downloads2.0M

Community Trust

Rating76/100

Number of ratings72

Active installs10K

Alternatives

Jetpack VaultPress Alternatives

NinjaFirewall (WP Edition) – Advanced Security Plugin and Firewall

ninjafirewall

100

A true Web Application Firewall to protect and secure WordPress.

100K 1 CVE

NinjaScanner – Virus & Malware scan

ninjascanner

A lightweight, fast and powerful virus scanner for WordPress.

30K 1 CVE

Malcure Malware Shield — Removal, Repair, Monitor

wp-malware-removal

Fast malware removal & security shield. Fix hacks, stop redirects, clean SEO spam. Real-time threat intelligence. No bloat.

10K 3 CVEs

Virusdie – One-click website security

virusdie

Malware scanning & removal, website hardening, patching vulnerabilities, real-time protection against online attacks, blacklist monitoring in a click!

2K 4 CVEs

Shieldfy Security Firewall and Anti Virus

shieldfy

100

Shieldfy is a cloud-based security shield for your website to protect it from web attacks and malwares.

40 No CVEs

Developer Profile

Jetpack VaultPress Developer Profile

Automattic

213 plugins · 19.2M total installs

trust score

Avg Security Score

92/100

Avg Patch Time

1384 days

View full developer profile

Detection Fingerprints

How We Detect Jetpack VaultPress

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/vaultpress/vaultpress.css/wp-content/plugins/vaultpress/vaultpress.js

Script Paths

/wp-content/plugins/vaultpress/vaultpress.js

Version Parameters

vaultpress/vaultpress.css?ver=vaultpress/vaultpress.js?ver=

HTML / DOM Fingerprints

CSS Classes

vaultpress-branding

HTML Comments

Data Attributes

data-vp-connection-statusdata-vp-registered

JS Globals

VaultPressvp

REST Endpoints

/wp-json/vaultpress/v1/status

FAQ