What is the CVSS score of CVE-2026-52706?

CVE-2026-52706 has a CVSS 3.1 base score of 9.8 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.4%.

Which versions of JetEngine are affected by CVE-2026-52706?

Crocoblock JetEngine, a commercial WordPress plugin, contains a critical vulnerability enabling unauthenticated remote attackers to completely compromise affected websites without authentication…

How to fix or mitigate CVE-2026-52706?

Within 24 hours: Execute asset discovery to identify all WordPress installations using Crocoblock JetEngine 3.8.10 and earlier; document exact versions and criticality ratings; deploy Web Application Firewall (WAF) rules to block PHP object injection and unsafe deserialization attempts; restrict WordPress admin panel access to VPN-authenticated networks with multi-factor authentication. Within 7 days: Complete business impact analysis on JetEngine criticality; immediately disable the plugin across non-critical environments; for critical deployments, implement file integrity monitoring on WordPress directories, enhanced audit logging, and network segmentation limiting plugin data access. Within 30 days: Establish daily monitoring of Crocoblock security advisories; maintain current offline backups; when Crocoblock releases a patched version, perform testing in isolated environment and schedule phased upgrades of all production installations.

JetEngine CVE-2026-52706

EUVD-2026-37628 CRITICAL

Deserialization of Untrusted Data (CWE-502)

2026-06-17 Patchstack

PHP Deserialization Jetengine

9.8

CVSS 3.1 · Vendor: Patchstack

Severity by source

Vendor (Patchstack) PRIMARY

9.8 CRITICAL

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

vuln.today AI

9.8 CRITICAL

Unauthenticated PHP object injection reachable over the network with no user interaction; successful POP chain yields RCE in the web worker, giving full C/I/A impact within the WordPress scope.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Jun 17, 2026 - 12:00 vuln.today

DescriptionCVE.org

Unauthenticated PHP Object Injection in JetEngine <= 3.8.10 versions.

AnalysisAI

Unauthenticated PHP Object Injection in Crocoblock JetEngine WordPress plugin versions 3.8.10 and earlier allows remote attackers to inject arbitrary PHP objects, potentially leading to full site compromise via gadget-chain abuse. The CVSS 9.8 score reflects network-reachable, no-authentication, no-interaction exploitation against a widely deployed commercial WordPress plugin. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon

Identify WordPress site running JetEngine ≤ 3.8.10

Delivery

Craft serialized PHP object with POP gadget chain

Exploit

Send unauthenticated HTTP request to vulnerable endpoint

Install

Trigger unsafe unserialize() in plugin

Execute gadget chain via magic methods

Execute

Deploy webshell and exfiltrate wp-config.php

Impact

Pivot to database and persist

Recon

Identify WordPress site running JetEngine ≤ 3.8.10

Delivery

Craft serialized PHP object with POP gadget chain

Exploit

Send unauthenticated HTTP request to vulnerable endpoint

Install

Trigger unsafe unserialize() in plugin

Execute gadget chain via magic methods

Execute

Deploy webshell and exfiltrate wp-config.php

Impact

Pivot to database and persist

Vulnerability AssessmentAI

Exploitation	No special conditions - remote unauthenticated exploitation against default configurations of the JetEngine WordPress plugin (versions <= 3.8.10) reachable over HTTP/HTTPS, consistent with CVSS AV:N/AC:L/PR:N/UI:N. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	Signals point to a high-priority issue but with caveats. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An unauthenticated attacker sends a crafted HTTP request to a vulnerable JetEngine endpoint on a public WordPress site, embedding a serialized PHP object designed to trigger a POP gadget chain in the WordPress runtime. When PHP deserializes the payload, magic methods execute attacker-controlled logic, leading to arbitrary file write or code execution in the web server context - typically deployment of a webshell, theft of wp-config.php credentials, and pivot to the database. …
Remediation	Patch available per vendor advisory; administrators should upgrade JetEngine to the latest release above 3.8.10 as published by Crocoblock and tracked at https://patchstack.com/database/wordpress/plugin/jet-engine/vulnerability/wordpress-jetengine-plugin-3-8-10-php-object-injection-vulnerability. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Execute asset discovery to identify all WordPress installations using Crocoblock JetEngine 3.8.10 and earlier; document exact versions and criticality ratings; deploy Web Application Firewall (WAF) rules to block PHP object injection and unsafe deserialization attempts; restrict WordPress admin panel access to VPN-authenticated networks with multi-factor authentication. …

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-55692 HIGH This Week POC

7.5 Jun 19

Stored cross-site scripting in the StarCitizenWiki EmbedVideo MediaWiki extension (versions <= 4.0.0) allows any user wi

CVE-2026-9815 MEDIUM This Month POC

6.5 Jun 18

Unrestricted PHP file upload in the MagicForm WordPress plugin (through version 0.1.3) enables unauthenticated remote co

CVE-2026-48908 CRITICAL Act Now

10.0 Jun 20

Remote unauthenticated arbitrary file upload in JoomShaper SP Page Builder extension for Joomla (versions 1.0.0 through

CVE-2026-48939 CRITICAL Act Now

10.0 Jun 20

Arbitrary PHP file upload in the iCagenda extension for Joomla enables remote unauthenticated attackers to abuse the eve

CVE-2025-69108 CRITICAL Act Now

9.8 Jun 16

Unauthenticated PHP Object Injection in the ThemeREX Hot Coffee WordPress theme (versions ≤ 1.7) allows remote attackers

CVE-2026-52706 vulnerability details – vuln.today

Back

JetEngine CVE-2026-52706

Severity by source

CVSS VectorVendor: Patchstack

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

More from same product – last 7 days

Share

External POC / Exploit Code