A big question and also a reason why loads of sites with JQuery (versions installed when the functionality was introduced on a website, often website origin date :o) . This site has now been cleansed: http://killmalware.com/kcrockyhorror.com/#
and was hacked some 12 days ago. http://kcrockyhorror.com/wp-includes/js/jquery/jquery.js?ver=1.11.2
http://kcrockyhorror.com/wp-includes/js/jquery/jquery-migrate.min.js?ver=1.2.1
http://kcrockyhorror.com/wp-content/plugins/random-image-gallery-with-pretty-photo-zoom/js/jquery.prettyPhoto.js?ver=4.2.2
http://kcrockyhorror.com/wp-content/plugins/revslider/rs-plugin/js/jquery.themepunch.revolution.min.js?ver=4.2.2
http://kcrockyhorror.com/wp-content/plugins/wp-easy-gallery/js/jquery.prettyPhoto.js?ver=4.2.2
http://kcrockyhorror.com/wp-content/plugins/wp-easy-gallery/js/EasyGalleryLoader.js?ver=4.2.2
http://kcrockyhorror.com/wp-content/plugins/cforms146/js/cforms.js
http://s0.wp.com/wp-content/js/devicepx-jetpack.js?ver=201528
http://s.gravatar.com/js/gprofiles.js?ver=2015Julaa
http://kcrockyhorror.com/wp-content/plugins/jetpack/modules/wpgroho.js?ver=4.2.2
http://kcrockyhorror.com/wp-includes/js/jquery/ui/core.min.js?ver=1.11.4
http://kcrockyhorror.com/wp-includes/js/jquery/ui/widget.min.js?ver=1.11.4
http://kcrockyhorror.com/wp-includes/js/jquery/ui/mouse.min.js?ver=1.11.4
http://kcrockyhorror.com/wp-includes/js/jquery/ui/sortable.min.js?ver=1.11.4
http://kcrockyhorror.com/wp-includes/js/jquery/ui/tabs.min.js?ver=1.11.4
http://kcrockyhorror.com/wp-includes/js/jquery/ui/accordion.min.js?ver=1.11.4
http://kcrockyhorror.com/wp-content/themes/kora/js/fancybox/jquery.fancybox-1.3.4.js?ver=1.0.4
http://kcrockyhorror.com/wp-content/themes/kora/js/sliders/responsiveslides.js?ver=1.0.4
http://kcrockyhorror.com/wp-content/themes/kora/js/sliders/jquery.jcarousel.min.js?ver=1.0.4
http://kcrockyhorror.com/wp-content/themes/kora/js/jquery.sticky.js?ver=1.0.4
http://kcrockyhorror.com/wp-content/themes/kora/js/jquery.isotope.min.js?ver=1.0.4
http://kcrockyhorror.com/wp-content/themes/kora/js/jquery.hoverdir.js?ver=1.0.4
http://kcrockyhorror.com/wp-content/themes/kora/js/mfn-menu.js?ver=1.0.4
http://kcrockyhorror.com/wp-includes/js/jquery/jquery.form.min.js?ver=3.37.0
http://kcrockyhorror.com/wp-content/themes/kora/js/scripts.js?ver=1.0.4
http://kcrockyhorror.com/wp-includes/js/comment-reply.min.js?ver=4.2.2
http://stats.wp.com/e-201528.js

See 2 vulnerable detected like here: http://retire.insecurity.today/#!/scan/8a2826d1f54e702c5f420e9ab696cc4226d4e1d3227e63ebc42a8328d5ea25ff
On this site this is vulnerable, read: https://wordpress.org/support/topic/jquery-migrate-vulnerability-or-false-alarm

Kora theme vulnerable: http://forum.muffingroup.com/kora/discussion/476/theme-mail-php-vulnerable/p1

Also see the tracker tracker report attached (widget tracking mainly)

polonus

Update: http://www.domxssscanner.com/scan?url=http%3A%2F%2Fkcrockyhorror.com%2Fwp-includes%2Fjs%2Fjquery%2Fjquery-migrate.min.js%3Fver%3D1.2.1
and Results from scanning URL: -http://assets.tumblr.com/assets/scripts/pre_tumblelog.js?_v=83e88e0d61213141a74383bf5d31425e
Number of sources found: 8
Number of sinks found: 5
Clean: http://online.drweb.com/result/?url=betweenupanddown.tumblr.com
Low level site explorer: http://1col.ru/www.investigue-me.tumblr.com
Tested here: http://oscarotero.com/embed/demo/index.php?url=http%3A%2F%2Fassets.tumblr.com%2Fassets%2Fscripts%2Fpre_tumblelog.js%3F_v%3D83e88e0d61213141a74383bf5d31425e&options[minImageWidth]=0&options[minImageHeight]=0&options[facebookAccessToken]=&options[embedlyKey]=&options[soundcloudClientId]=YOUR_CLIENT_ID&options[oembedParameters]=

pol