How do I delete bogus JetPack Subscriptions?

You can’t currently remove subscribers yourself. Only the subscribers themselves can cancel their subscription.

Subscribers shouldn’t be able to inject code into your site, though, Could you post your site URL here, so I can have a look at your subscriptions widget?

If you want it to remain private, you can also contact us via this contact form:
https://jetpack.me/contact-support/

The link to the page is included in the hidden input field shown in my original post at the top. Because I couldn’t delete the 25 or so bogus email address subscribers and I kept finding pharmaceutical ads injected into the Jetpack subscribers form as shown in my original post showing what the browser’s View Source looked like and throughout the database, I deactivated the Subscriptions widget. I did compare files with an earlier backup of my site and the widget file looked the same.

Even though the subscription form is now gone from the pages, that link is still “good”.
https://stc-access.org/page/13/?item=crestor-no-prescription-buy-crestor-online-prescription&cat=crestor
You can go to it, get a page of several posts, View the Source in the browser, and scroll down to the following lines starting around 450-490:
<nav class=”post-nav” role=”navigation”>
<div class=”nav-previous”>Older posts</div>
<div class=”nav-next”>Newer posts</div>
</nav>
<!– / .post-nav –>
</section>
<!– / #content –>

The database is full of similar injections for a variety of pharmaceuticals. I clean them out of the various tables they show up in but they return again and again. I’ve sent samples to Wordfence Security and they said their latest update was supposed to block that. It didn’t.

My hosting service says he thinks it is coming from the whole Jetpack plugin and that I should deactivate and delete Jetpack. I’ve replaced all the plugins from newly downloaded ones to be sure they are the original files. It is unfortunate because I like many of the Jetpack widgets and don’t want to have to do that.

Because it showed up as a hidden field in the subscription form, I blamed that and deactivated it. But the injections still occur, so maybe my hosting service is correct and something else in Jetpack is corrupted. I didn’t know it was happening until I looked at my Live Traffic reports and in Google Webmaster Tools and saw thousands of 404 Not Founds that all pointed to those injections. Hard to say when it all started–it seems to have been going on for several months. It really racks up the 404 Not Found errors. Maybe that’s the point?

Thanks for the extra details!

The form’s input field grabs the URL of the page you’re looking at, so you could really make up just about any URL parameter, and it would appear in the form’s input field. Here is an example on my own site, where I added ?coming-from-jetpack-support-forums to the URL:
https://i.wpne.ws/aKuX

That doesn’t mean that the form has been hacked, though. When you submit the form, it doesn’t add anything to your database. Jetpack subscriptions are stored on WordPress.com, so they actually never add anything to your database.

This hidden input field also doesn’t add anything to your site, since it only changes the URL where the form is submitted.

Once you add that parameter to a URL on your site, it will be added to other links on the page. For example, if I add ?item=hi-from-jeremy to one of your pages, it will be displayed in the Previous / Next links as well:
https://i.wpne.ws/aLId

All this doesn’t mean you’ve been hacked. However, if you have mentions of pharmaceutical products in your database, you have a problem. You’ll need to understand how these mentions were added to your database, and clean everything up.
I don’t think these were added by Jetpack. If I were to guess, I’d start looking at e-commerce or product listing plugins you may use or may have used in the past, as the item and cat parameters indicate some kind of listing.

One way to find out more would be to look at your database and check where these pharmaceutical products are mentioned. In posts? In comments? in your site options? Once you find out more, you should be able to understand how they were added to your site.

You will also need to go through the steps described here to clean your site up.

Let me know how it goes.

Thanks. I don’t use any e-commerce or product list plugins. But I do belong to the Amazon.com Associates program and have their search box and some links to books on the site. I wonder if those cat and item parameters are coming from the amazon.com links, the search box, or the aStore? I’ll have to check those links. But I have that on several other sites that are not getting the pharma injections. Hmmm.

I wonder if those cat and item parameters are coming from the amazon.com links, the search box, or the aStore

It could be. It might be worth checking your site referrers to find out more: you might be able to see if you get a lot of referrals from Amazon.com, or from suspicious sites.