Description
Unauthenticated Cross Site Scripting (XSS) in JetEngine <= 3.8.10 versions.
Published: 2026-06-17
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The JetEngine plugin for WordPress contains an unauthenticated Cross Site Scripting (XSS) flaw that permits an attacker to inject arbitrary JavaScript into pages served by the site. If exploited, the injected code would execute in the context of any user who interacts with those pages, potentially allowing the attacker to steal session cookies, deface content, redirect users, or launch further attacks. This weakness is classified as CWE‑79.

Affected Systems

WordPress installations that load JetEngine versions 3.8.10 or earlier are vulnerable. The vendor responsible is Jetimpex Inc., and the affected product is the JetEngine plugin for WordPress. Any deployment using this plugin in the specified version range is at risk.

Risk and Exploitability

The vulnerability is rated with a CVSS score of 7.1, indicating high severity. EPSS is not available, and the issue does not appear in CISA's KEV catalog, suggesting no confirmed exploitation yet. Because authentication is not required, the flaw could be triggered simply by browsing or by submitting crafted content through JetEngine‑powered forms, making it easily reachable to unauthenticated threat actors.

Generated by OpenCVE AI on June 18, 2026 at 13:59 UTC.

Remediation

Vendor Solution

Update the WordPress JetEngine Plugin to the latest available version (at least 3.8.10.1).


OpenCVE Recommended Actions

  • Update the JetEngine plugin to version 3.8.10.1 or newer
  • Deploy a restrictive Content Security Policy that blocks inline script execution and disallows unsafe-eval
  • Review and sanitise any custom input fields added via JetEngine to enforce server‑side validation

Generated by OpenCVE AI on June 18, 2026 at 13:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 21 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Jetimpex Inc.
Jetimpex Inc. jetengine
Wordpress
Wordpress wordpress
Vendors & Products Jetimpex Inc.
Jetimpex Inc. jetengine
Wordpress
Wordpress wordpress

Fri, 19 Jun 2026 00:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 17 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
Description Unauthenticated Cross Site Scripting (XSS) in JetEngine <= 3.8.10 versions.
Title WordPress JetEngine plugin <= 3.8.10 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}


Subscriptions

Jetimpex Inc. Jetengine
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T15:35:50.140Z

Reserved: 2026-06-12T09:15:46.417Z

Link: CVE-2026-54189

cve-icon Vulnrichment

Updated: 2026-06-17T15:35:43.825Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T23:03:39Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')