How is CVE-2026-49074 exploited?

Network reachability (required): The attacker delivers the malicious payload over the network, so the affected WordPress installation must be reachable from the attacker's origin. Authentication (not-required): No account or session credentials are needed; the attack can be launched by any anonymous user. Victim interaction (required): A victim (typically a logged-in site user or administrator) must follow a crafted link or visit a page hosting the malicious payload for the JavaScript to execute. Attack complexity (info): Exploit reliability is high and no special environmental conditions, race conditions, or memory-layout prerequisites are required.

What is the impact of CVE-2026-49074?

Reads the victim's session cookies or authentication tokens, enabling account takeover without the victim's knowledge. Reads page content visible to the victim, which may include sensitive configuration details or personal data rendered in the WordPress admin or front-end context. Modifies page content in the victim's browser session, allowing the attacker to inject fraudulent UI elements or redirect the victim to attacker-controlled sites. Performs actions in the WordPress application on behalf of the victim, such as creating accounts, changing settings, or publishing content, depending on the victim's privilege level.

Back to search

HIGHCVE-2026-49074Published 2026-06-17Modified 2026-06-17CNA Patchstack

CVE-2026-49074: WordPress JetEngine plugin <= 3.8.9.1 - Cross Site Scripting (XSS) vulnerability

Q: What is CVE-2026-49074?

A reflected or stored cross-site scripting (XSS) vulnerability affects the JetEngine WordPress plugin at version 3.8.9.1 and earlier. The flaw is reachable over the network by any unauthenticated attacker, but requires a victim to interact with a crafted link or page for the attack to execute. Successful exploitation lets an attacker run arbitrary JavaScript in the victim's browser, enabling session theft, page defacement, or unauthorized actions taken on the victim's behalf. HarborGuard is tracking the upstream advisory for patch availability and will surface a patched-image rebuild the moment a fix version is published.

Q: Is CVE-2026-49074 patched?

No fix version has been published upstream as of the CVE record date. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment Jetimpex Inc. releases a remediated version of JetEngine.

Unauthenticated Cross Site Scripting (XSS) in JetEngine <= 3.8.9.1 versions.

CVSS v3.1: 7.1
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

A reflected or stored cross-site scripting (XSS) vulnerability affects the JetEngine WordPress plugin at version 3.8.9.1 and earlier. The flaw is reachable over the network by any unauthenticated attacker, but requires a victim to interact with a crafted link or page for the attack to execute. Successful exploitation lets an attacker run arbitrary JavaScript in the victim's browser, enabling session theft, page defacement, or unauthorized actions taken on the victim's behalf. HarborGuard is tracking the upstream advisory for patch availability and will surface a patched-image rebuild the moment a fix version is published.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds (including Patchstack) within minutes of publication and matched against all customer images, including custom-built WordPress images that bundle JetEngine. Any image containing JetEngine at version 3.8.9.1 or earlier is flagged automatically.

Available

Triage

Triage is available using the CVSS v3.1 base score of 7.1 (HIGH), weighted against each customer org's compliance policy to determine urgency and routing. Findings are directed to the appropriate team inbox within each customer environment based on configured policy rules.

Available

Patch

No fix version has been published upstream as of the CVE record date. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment Jetimpex Inc. releases a remediated version of JetEngine.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker delivers the malicious payload over the network, so the affected WordPress installation must be reachable from the attacker's origin.
AuthenticationNot required
No account or session credentials are needed; the attack can be launched by any anonymous user.
Victim interactionRequired
A victim (typically a logged-in site user or administrator) must follow a crafted link or visit a page hosting the malicious payload for the JavaScript to execute.
Attack complexityDetail
Exploit reliability is high and no special environmental conditions, race conditions, or memory-layout prerequisites are required.

Blast Radius

Reads the victim's session cookies or authentication tokens, enabling account takeover without the victim's knowledge.
Reads page content visible to the victim, which may include sensitive configuration details or personal data rendered in the WordPress admin or front-end context.
Modifies page content in the victim's browser session, allowing the attacker to inject fraudulent UI elements or redirect the victim to attacker-controlled sites.
Performs actions in the WordPress application on behalf of the victim, such as creating accounts, changing settings, or publishing content, depending on the victim's privilege level.

How HarborGuard Handles This

Available on HarborGuard: scanning for CVE-2026-49074 is active across all customer environments, matching any image that ships JetEngine at version 3.8.9.1 or earlier. Because no upstream fix exists yet, HarborGuard monitors the Patchstack advisory on every ingest cycle and will make a patched-image rebuild available automatically when Jetimpex Inc. publishes a remediated release. For customers who opt into auto-remediation, the rebuild, regression-test run, and PR against affected workloads will trigger without manual intervention. In the interim, compensating controls worth considering include web application firewall rules targeting XSS payloads in JetEngine request parameters, network-policy isolation to restrict which users can reach the affected WordPress installation, and disabling or restricting JetEngine features that accept unvalidated user input where the plugin's own feature-flag configuration permits it.

See how HarborGuard automates this

Affected packages

Jetimpex Inc. / JetEngine
≤ 3.8.9.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

References

patchstack.com

Metrics

Get notified