Impact
This vulnerability is a PHP Object Injection flaw that allows an unauthenticated attacker to inject and unserialize malicious PHP objects. The flaw leads to arbitrary code execution and compromises confidentiality, integrity, and availability of the affected WordPress site. It is identified as CWE‑502, a classic object injection weakness.
Affected Systems
The JetEngine plugin for WordPress, developed by Jetimpex Inc., is compromised in all releases up to and including 3.8.10. Any WordPress site running a vulnerable version of JetEngine is at risk.
Risk and Exploitability
With a CVSS score of 9.8, this issue is considered critical. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, yet the lack of authentication requirements makes exploitation trivial over the network. Attackers can reach the vulnerable plugin via crafted HTTP requests, triggering unserialization and enabling code execution.
OpenCVE Enrichment