jQuery earlier than 3.0.0 is vulnerable to hacks. See this NIST report:
https://nvd.nist.gov/vuln/detail/CVE-2015-9251
I really, really wish they'd upgrade. While we wait, I have to pay $25/month for not being PCI compliant due to this.
Plus, it truly is a known security risk, so hackers may target X-Cart sites knowing that we all have this older version.