Jetpack is susceptible to IP spoofing during login rate limiting which an attacker can abuse to prevent legitimate users and/or a site’s reverse proxy from making requests to the wp-login.php endpoint.

Jetpack contains are currently NOT exploitable security faux that allows an attacker to bypass all WAF rules.