Description
Contributor PHP Object Injection in JetEngine <= 3.8.9.1 versions.
Published: 2026-06-17
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

JetEngine plugin versions up to 3.8.9.1 contain a PHP Object Injection flaw that allows an attacker to instantiate arbitrary PHP classes and execute arbitrary code or manipulate data. This vulnerability falls under CWE-502 and can be leveraged to compromise the WordPress site with complete control over server files and data.

Affected Systems

The affected product is JetEngine by Jetimpex Inc., a WordPress plugin. All releases of JetEngine version 3.8.9.1 and earlier are vulnerable; only versions 3.8.10 and later contain the fix.

Risk and Exploitability

With a CVSS score of 9.8, the flaw is considered high severity and offers the potential for remote code execution. No EPSS score is available and the issue is not listed in the CISA KEV catalog, but the lack of public exploitation evidence does not mitigate the risk. The likely attack vector is through the plugin’s exposed endpoints or administrative interfaces where unsanitized input can trigger the injection.

Generated by OpenCVE AI on June 18, 2026 at 12:10 UTC.

Remediation

Vendor Solution

Update the WordPress JetEngine Plugin to the latest available version (at least 3.8.10).


OpenCVE Recommended Actions

  • Update the JetEngine plugin to version 3.8.10 or later.
  • Disable or remove the plugin if it is not required for site functionality.
  • Perform a review of custom code and administrative accounts to ensure no unauthorized access remains.

Generated by OpenCVE AI on June 18, 2026 at 12:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 21 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Jetimpex Inc.
Jetimpex Inc. jetengine
Wordpress
Wordpress wordpress
Vendors & Products Jetimpex Inc.
Jetimpex Inc. jetengine
Wordpress
Wordpress wordpress

Wed, 17 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 17 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
Description Contributor PHP Object Injection in JetEngine <= 3.8.9.1 versions.
Title WordPress JetEngine plugin <= 3.8.9.1 - PHP Object Injection vulnerability
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Jetimpex Inc. Jetengine
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T12:22:50.364Z

Reserved: 2026-05-27T10:27:01.186Z

Link: CVE-2026-49075

cve-icon Vulnrichment

Updated: 2026-06-17T12:22:41.755Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T23:03:58Z

Weaknesses
  • CWE-502

    Deserialization of Untrusted Data