Skip to main content

JetEngine CVE-2026-49075

| EUVD-2026-37617 CRITICAL
Deserialization of Untrusted Data (CWE-502)
2026-06-17 Patchstack
PHP Deserialization Jetengine
9.8
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.8 HIGH

Network-reachable WordPress endpoint with low attack complexity, but exploitation requires an authenticated Contributor account so PR:L not PR:N; deserialization typically yields full CIA impact via RCE.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 17, 2026 - 12:06 vuln.today

DescriptionCVE.org

Contributor PHP Object Injection in JetEngine <= 3.8.9.1 versions.

Articles & Coverage 1

News Critical PHP Object Injection in JetEngine WordPress Plugin - CVE-2026-49075 Jun 18, 2026

AnalysisAI

PHP Object Injection in the JetEngine WordPress plugin (versions through 3.8.9.1) allows authenticated users with the Contributor role to inject crafted serialized objects that are deserialized by the plugin, potentially leading to code execution or other gadget-chain abuse on the host site. The flaw, reported by Patchstack and tracked under CWE-502, requires only the low-privileged Contributor role rather than admin access, which significantly broadens the attacker pool on multi-author WordPress installations. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Obtain Contributor account on target WordPress site
Delivery
Craft serialized PHP object payload using known POP gadget
Exploit
Submit payload via JetEngine field or form
Install
Plugin calls unserialize() on attacker input
C2
Gadget chain executes during object destruction
Execute
Write webshell or execute code as web user
Impact
Pivot to full site compromise
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Attacker must hold a valid WordPress Contributor (or higher) account on a target site running the JetEngine plugin at version 3.8.9.1 or earlier, and the site must have at least one loaded plugin/theme/library that provides a usable PHP POP gadget chain reachable from unserialize(). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment There is a notable conflict between signals: the published CVSS 3.1 vector is 9.8 with PR:N (unauthenticated), but the vulnerability title explicitly states 'Contributor' - a WordPress role that requires a valid authenticated account. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers or compromises a low-privileged Contributor account on a WordPress site running JetEngine ≤ 3.8.9.1, then submits a draft post or form containing a crafted serialized PHP payload through a vulnerable JetEngine field. When the plugin deserializes the input, a POP gadget chain in WordPress core or another installed plugin is triggered, leading to arbitrary file write or remote code execution as the web-server user. …
Remediation Upgrade JetEngine to a version newer than 3.8.9.1 as published by Crocoblock - the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/jet-engine/vulnerability/wordpress-jetengine-plugin-3-8-9-1-php-object-injection-vulnerability should be consulted for the exact fixed release, which was not independently confirmed in the supplied data (treat as 'Upstream fix expected per Patchstack advisory; released patched version not independently confirmed'). … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

24 hours: Inventory all WordPress installations running JetEngine and identify current versions; prepare to disable the plugin if operational requirements allow. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-55692 HIGH POC
7.5 Jun 19

Stored cross-site scripting in the StarCitizenWiki EmbedVideo MediaWiki extension (versions <= 4.0.0) allows any user wi
CVE-2026-9815 MEDIUM POC
6.5 Jun 18

Unrestricted PHP file upload in the MagicForm WordPress plugin (through version 0.1.3) enables unauthenticated remote co
CVE-2026-48908 CRITICAL
10.0 Jun 20

Remote unauthenticated arbitrary file upload in JoomShaper SP Page Builder extension for Joomla (versions 1.0.0 through

CVE-2026-48939 CRITICAL
10.0 Jun 20

Arbitrary PHP file upload in the iCagenda extension for Joomla enables remote unauthenticated attackers to abuse the eve
CVE-2025-69108 CRITICAL
9.8 Jun 16

Unauthenticated PHP Object Injection in the ThemeREX Hot Coffee WordPress theme (versions ≤ 1.7) allows remote attackers

Share

CVE-2026-49075 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy