Skip to main content

JetEngine CVE-2026-54189

| EUVD-2026-37634 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-06-17 Patchstack
XSS Jetengine
7.1
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
vuln.today AI
7.1 HIGH

Unauthenticated network-delivered XSS requiring a victim click; scope changes from plugin to WordPress origin, with limited C/I/A impact typical of script-in-browser execution.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 17, 2026 - 11:56 vuln.today

DescriptionCVE.org

Unauthenticated Cross Site Scripting (XSS) in JetEngine <= 3.8.10 versions.

AnalysisAI

Reflected or stored cross-site scripting in the JetEngine WordPress plugin (versions 3.8.10 and earlier) allows remote unauthenticated attackers to inject arbitrary script that executes in a victim's browser after the user is lured to a crafted link or page. The flaw was reported by Patchstack and carries a CVSS 3.1 score of 7.1 with scope change, reflecting impact on the WordPress session context beyond the vulnerable component. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify WordPress site running JetEngine ≤3.8.10
Delivery
Craft URL or content with XSS payload
Exploit
Lure admin or visitor to click
Execution
Browser renders unsanitized payload in site origin
Persist
Script executes with victim's session
Impact
Hijack cookies or create rogue admin
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires (1) a target WordPress site running JetEngine 3.8.10 or earlier with the vulnerable input sink reachable over the network - no authentication is needed to deliver the payload (PR:N), and (2) user interaction (UI:R) such as a victim clicking a crafted link or visiting a page containing the injected content. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L indicates a network-reachable, low-complexity, unauthenticated attack that does require user interaction and yields only limited confidentiality, integrity, and availability impact - the elevated 7.1 score is driven primarily by the scope change (S:C), reflecting XSS pivoting from the plugin into the broader WordPress origin. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a URL or a piece of content (e.g., a dynamic field value, comment, or submitted listing) containing a JavaScript payload that JetEngine renders without proper encoding, then lures a WordPress user - ideally a logged-in administrator - into clicking the link or viewing the page. When the payload executes in the victim's browser under the site's origin, the attacker can steal session cookies, perform actions as the user via the WordPress REST/admin-ajax endpoints, or plant a persistent backdoor by creating a new admin user. …
Remediation Patch available per vendor advisory - upgrade JetEngine to the version released after 3.8.10 as listed on the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/jet-engine/vulnerability/wordpress-jetengine-plugin-3-8-10-cross-site-scripting-xss-vulnerability-2); the exact fixed version is not independently confirmed in the input data, so verify against the Crocoblock changelog before deploying. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Inventory all JetEngine installations and identify which systems run versions 3.8.10 or earlier; document business criticality and affected user populations. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-49075 CRITICAL
9.8 Jun 17

PHP Object Injection in the JetEngine WordPress plugin (versions through 3.8.9.1) allows authenticated users with the Co
CVE-2026-52706 CRITICAL
9.8 Jun 17

Unauthenticated PHP Object Injection in Crocoblock JetEngine WordPress plugin versions 3.8.10 and earlier allows remote

CVE-2026-49076 CRITICAL
9.3 Jun 17

Unauthenticated SQL injection in the JetEngine WordPress plugin (versions up to and including 3.8.9.1) allows remote att
CVE-2026-49084 CRITICAL
9.3 Jun 17

Unauthenticated SQL injection in the JetEngine WordPress plugin versions prior to 3.8.9.1 allows remote attackers to inj
CVE-2026-54187 CRITICAL
9.3 Jun 17

Unauthenticated SQL injection in the JetEngine WordPress plugin versions 3.8.10.1 and earlier allows remote attackers to

Share

CVE-2026-54189 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy