Description
Unauthenticated Cross Site Scripting (XSS) in JetEngine <= 3.8.10 versions.
Published: 2026-06-17
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows unauthenticated users to inject arbitrary JavaScript into pages rendered by the JetEngine plugin in WordPress installations running versions 3.8.10 or earlier; this client‑side Cross‑Site Scripting flaw (CWE‑79) can lead to session hijacking, defacement, or execution of arbitrary code within the context of the site’s users and requires no authentication other than a crafted URL or page visit.

Affected Systems

The issue affects the JetEngine plugin published by Jetimpex Inc. for WordPress, specifically all releases up to and including version 3.8.10; administrators are advised to upgrade to at least version 3.8.10.1 where the flaw has been remediated.

Risk and Exploitability

The exposed client‑side weakness carries a CVSS score of 7.1, indicating high risk, no EPSS data is available, and the flaw is not listed in the CISA KEV catalog. Because the attack vector is unauthenticated and only requires a crafted URL, exploitation chances are high for any publicly accessible WordPress site that has not applied the fix. Attackers can use the XSS vector to steal credentials or spread malware by influencing victim browsers while interacting with the site.

Generated by OpenCVE AI on June 18, 2026 at 12:06 UTC.

Remediation

Vendor Solution

Update the WordPress JetEngine Plugin to the latest available version (at least 3.8.10.1).


OpenCVE Recommended Actions

  • Update the JetEngine plugin to version 3.8.10.1 or newer.
  • If an immediate upgrade is not possible, disable or remove all JetEngine modules that expose input fields such as forms, listings, or metaboxes until the patch is applied, to prevent the XSS vectors from being usable.
  • Review any custom code or shortcodes that render JetEngine output, ensuring that displayed data is properly escaped to mitigate XSS.

Generated by OpenCVE AI on June 18, 2026 at 12:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 21 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Jetimpex Inc.
Jetimpex Inc. jetengine
Wordpress
Wordpress wordpress
Vendors & Products Jetimpex Inc.
Jetimpex Inc. jetengine
Wordpress
Wordpress wordpress

Wed, 17 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
Description Unauthenticated Cross Site Scripting (XSS) in JetEngine <= 3.8.10 versions.
Title WordPress JetEngine plugin <= 3.8.10 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}


Subscriptions

Jetimpex Inc. Jetengine
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T15:36:07.987Z

Reserved: 2026-06-12T09:15:46.417Z

Link: CVE-2026-54188

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T23:03:41Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')