Impact
JetEngine plugin versions up to 3.8.9.1 contain a PHP Object Injection flaw that allows an attacker to instantiate arbitrary PHP classes and execute arbitrary code or manipulate data. This vulnerability falls under CWE-502 and can be leveraged to compromise the WordPress site with complete control over server files and data.
Affected Systems
The affected product is JetEngine by Jetimpex Inc., a WordPress plugin. All releases of JetEngine version 3.8.9.1 and earlier are vulnerable; only versions 3.8.10 and later contain the fix.
Risk and Exploitability
With a CVSS score of 9.8, the flaw is considered high severity and offers the potential for remote code execution. No EPSS score is available and the issue is not listed in the CISA KEV catalog, but the lack of public exploitation evidence does not mitigate the risk. The likely attack vector is through the plugin’s exposed endpoints or administrative interfaces where unsanitized input can trigger the injection.
OpenCVE Enrichment