Description
Unauthenticated Cross Site Scripting (XSS) in JetEngine <= 3.8.9.1 versions.
Published: 2026-06-17
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an unauthenticated XSS flaw that allows an attacker to inject arbitrary JavaScript into the site’s pages. This can lead to session hijacking, credential theft, defacement, or the execution of malicious payloads within the browser of any visitor. The flaw is rooted in improper input sanitization, as identified by CWE‑79, and grants attackers the ability to compromise confidentiality, integrity, and availability of the affected site’s content.

Affected Systems

The issue affects Jetimpex Inc.’s JetEngine plugin versions up to and including 3.8.9.1. WordPress sites installing or using these vulnerable plugin editions are exposed.

Risk and Exploitability

The CVSS score of 7.1 classifies this as a high‑severity vulnerability. Though an EPSS score is unavailable, the flaw’s design allows exploitation from any external visitor without authentication, implying a high likelihood of targeted attacks. It is not listed in the CISA KEV catalog, but the absence of a need for admin rights and the potential for widespread impact raise the practical risk for vulnerable installations.

Generated by OpenCVE AI on June 18, 2026 at 12:10 UTC.

Remediation

Vendor Solution

Update the WordPress JetEngine Plugin to the latest available version (at least 3.8.10).


OpenCVE Recommended Actions

  • Upgrade the JetEngine plugin to version 3.8.10 or later to remove the vulnerable code.
  • If an upgrade is temporarily infeasible, disable any plugin components that render user‑supplied content until a patch is applied.
  • As a last resort, apply a site‑wide content security policy that blocks inline scripts to mitigate the XSS impact while awaiting an official fix.

Generated by OpenCVE AI on June 18, 2026 at 12:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 21 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Jetimpex Inc.
Jetimpex Inc. jetengine
Wordpress
Wordpress wordpress
Vendors & Products Jetimpex Inc.
Jetimpex Inc. jetengine
Wordpress
Wordpress wordpress

Fri, 19 Jun 2026 00:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 17 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
Description Unauthenticated Cross Site Scripting (XSS) in JetEngine <= 3.8.9.1 versions.
Title WordPress JetEngine plugin <= 3.8.9.1 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}


Subscriptions

Jetimpex Inc. Jetengine
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T15:35:03.896Z

Reserved: 2026-05-27T10:27:01.186Z

Link: CVE-2026-49074

cve-icon Vulnrichment

Updated: 2026-06-17T15:34:56.044Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T23:04:00Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')