Description
Unauthenticated PHP Object Injection in JetEngine <= 3.8.10 versions.
Published: 2026-06-17
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is a PHP Object Injection flaw that allows an unauthenticated attacker to inject and unserialize malicious PHP objects. The flaw leads to arbitrary code execution and compromises confidentiality, integrity, and availability of the affected WordPress site. It is identified as CWE‑502, a classic object injection weakness.

Affected Systems

The JetEngine plugin for WordPress, developed by Jetimpex Inc., is compromised in all releases up to and including 3.8.10. Any WordPress site running a vulnerable version of JetEngine is at risk.

Risk and Exploitability

With a CVSS score of 9.8, this issue is considered critical. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, yet the lack of authentication requirements makes exploitation trivial over the network. Attackers can reach the vulnerable plugin via crafted HTTP requests, triggering unserialization and enabling code execution.

Generated by OpenCVE AI on June 18, 2026 at 12:07 UTC.

Remediation

Vendor Solution

Update the WordPress JetEngine Plugin to the latest available version (at least 3.8.10.1).


OpenCVE Recommended Actions

  • Update the JetEngine plugin to version 3.8.10.1 or newer.
  • If an immediate update is not possible, deactivate the JetEngine plugin to block unauthenticated access until the patch is applied.
  • As a temporary safeguard, restrict access to the plugin’s REST API or administrative endpoints to trusted IP addresses or authenticated users using firewall or WordPress role settings.

Generated by OpenCVE AI on June 18, 2026 at 12:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 21 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Jetimpex Inc.
Jetimpex Inc. jetengine
Wordpress
Wordpress wordpress
Vendors & Products Jetimpex Inc.
Jetimpex Inc. jetengine
Wordpress
Wordpress wordpress

Fri, 19 Jun 2026 00:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 17 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
Description Unauthenticated PHP Object Injection in JetEngine <= 3.8.10 versions.
Title WordPress JetEngine plugin <= 3.8.10 - PHP Object Injection vulnerability
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Jetimpex Inc. Jetengine
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T15:35:20.135Z

Reserved: 2026-06-08T10:11:13.730Z

Link: CVE-2026-52706

cve-icon Vulnrichment

Updated: 2026-06-17T15:35:13.184Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T23:03:48Z

Weaknesses
  • CWE-502

    Deserialization of Untrusted Data