Skip to main content

JetEngine CVE-2026-49074

| EUVD-2026-37616 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-06-17 Patchstack
XSS Jetengine
7.1
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
vuln.today AI
7.1 HIGH

Network-reachable WordPress plugin, no auth required, but victim must render payload (UI:R); XSS executes in browser context distinct from server (S:C) with limited C/I/A impact bounded by victim privileges.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 17, 2026 - 12:07 vuln.today

DescriptionCVE.org

Unauthenticated Cross Site Scripting (XSS) in JetEngine <= 3.8.9.1 versions.

AnalysisAI

Unauthenticated reflected/stored cross-site scripting in the JetEngine WordPress plugin (versions <= 3.8.9.1) allows remote attackers to inject malicious script into pages rendered by the plugin, which then executes in the browser of any visitor who interacts with the crafted content. Successful exploitation enables session hijacking, credential theft, or administrative actions performed against logged-in WordPress users including site administrators. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Identify WordPress site running JetEngine ≤ 3.8.9.1
Delivery
Craft malicious XSS payload in JetEngine input
Exploit
Deliver link to admin via phishing
Install
Victim browser renders payload
C2
Script executes in WordPress origin
Execute
Steal session cookie or trigger admin actions
Impact
Persist via new admin user or backdoor plugin
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires (1) a target WordPress site running the JetEngine plugin at version 3.8.9.1 or earlier reachable over the network, (2) user interaction - a victim (typically an administrator or logged-in editor) must visit or render the attacker-controlled URL/content containing the XSS payload (per CVSS UI:R), and (3) the attacker delivering the payload through the specific JetEngine input vector identified by Patchstack. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS:3.1 vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L yields 7.1 (High), reflecting network reach, no authentication, but required user interaction and a scope change (typical of XSS executing in another security context - the victim's browser session). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a URL or submits content containing a malicious script payload targeting a vulnerable JetEngine input handler on a public WordPress site, then sends the link to a site administrator via phishing or embeds it where staff will view it. When the administrator's browser renders the page, the script executes in the WordPress origin and exfiltrates the session cookie or issues authenticated requests (e.g., create new admin user, install a malicious plugin), pivoting from XSS to full site takeover.
Remediation Upstream fix available per Patchstack advisory; released patched version not independently confirmed in the provided data - administrators should upgrade JetEngine to the latest release published by Crocoblock above 3.8.9.1 as soon as it is available and consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/jet-engine/vulnerability/wordpress-jetengine-plugin-3-8-9-1-cross-site-scripting-xss-vulnerability for the exact fix version. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Inventory all WordPress installations and identify those running JetEngine plugin version 3.8.9.1 or earlier. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-49075 CRITICAL
9.8 Jun 17

PHP Object Injection in the JetEngine WordPress plugin (versions through 3.8.9.1) allows authenticated users with the Co
CVE-2026-52706 CRITICAL
9.8 Jun 17

Unauthenticated PHP Object Injection in Crocoblock JetEngine WordPress plugin versions 3.8.10 and earlier allows remote

CVE-2026-49076 CRITICAL
9.3 Jun 17

Unauthenticated SQL injection in the JetEngine WordPress plugin (versions up to and including 3.8.9.1) allows remote att
CVE-2026-49084 CRITICAL
9.3 Jun 17

Unauthenticated SQL injection in the JetEngine WordPress plugin versions prior to 3.8.9.1 allows remote attackers to inj
CVE-2026-54187 CRITICAL
9.3 Jun 17

Unauthenticated SQL injection in the JetEngine WordPress plugin versions 3.8.10.1 and earlier allows remote attackers to

Share

CVE-2026-49074 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy