CVE-2026-49075: WordPress JetEngine plugin <= 3.8.9.1 - PHP Object Injection vulnerability
Contributor PHP Object Injection in JetEngine <= 3.8.9.1 versions.
Metrics
- CVSS v3.1
- 9.8
- Severity
- CRITICAL
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
PHP Object Injection vulnerability in the JetEngine WordPress plugin (versions 3.8.9.1 and earlier) allows an unauthenticated remote attacker to inject a malicious PHP object through unsanitized user input. The vulnerability is reachable over the network with no authentication required and no user interaction needed. Successful exploitation gives the attacker full control over confidentiality, integrity, and availability of the affected system, depending on what PHP classes are available in the application for the injected object to leverage. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.
HarborGuard Coverage
Detection for CVE-2026-49075 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from Patchstack and upstream feeds, including custom-built images that bundle the JetEngine plugin. Coverage extends to both registry scans and in-pipeline image checks at build time.
AvailableHarborGuard is capable of scoring this CVE at its published CVSS 3.1 rating of 9.8 (CRITICAL) and weighting it against each customer environment's compliance policy to determine urgency and routing. Triage alerts are routed to the appropriate team inbox within each customer org based on configured ownership rules.
AvailableBecause no upstream fix version has been published for CVE-2026-49075, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. For customers with auto-remediation enabled, the rebuild, regression-test run, and PR against affected workloads will be triggered without manual intervention as soon as a fix version exists.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The attacker must reach the affected WordPress service over the network; no local or physical access is required.
- AuthenticationNot required
No account or session credential of any kind is needed to trigger the vulnerability.
- Victim interactionNot required
The attacker does not need to trick or involve any user to carry out the exploit.
- Attack complexityDetail
Exploit conditions are reliable and free of environmental dependencies; no race conditions or special memory layout is required.
Blast Radius
- A successful attacker reads any data accessible to the web application process, including stored credentials, session tokens, and database contents.
- A successful attacker writes or modifies persisted data, including database rows, configuration files, and uploaded content.
- A successful attacker can crash or hang the web server process, taking the site offline.
- If a suitable gadget chain exists in the application's loaded PHP classes, the attacker gains remote code execution on the host running the WordPress installation.
How HarborGuard Handles This
Available on HarborGuard: because no patched version of JetEngine has been published, the platform monitors the Patchstack advisory and all upstream feeds on every ingest cycle and will surface a patched-image rebuild the moment a fix version is released. For customers with auto-remediation enabled, the rebuild and regression run will trigger automatically, and a PR will be opened against affected workloads with no manual steps required. In the interim, compensating controls worth considering include network-policy isolation that restricts inbound traffic to the WordPress service to known-good sources, web application firewall rules that block serialized PHP payloads in request parameters, and feature-flag or plugin-level gating that disables JetEngine functionality until a patch is available. The CVE carries a CVSS 3.1 score of 9.8 (CRITICAL), so environments running an affected image should treat this as a high-priority item in their remediation queue.
- Jetimpex Inc. / JetEngine≤ 3.8.9.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H