How is CVE-2026-49076 exploited?

Network reachability (required): The vulnerable endpoint is exposed over the network, so an attacker must be able to reach the WordPress installation via HTTP or HTTPS. Authentication (not-required): No account or session credential of any kind is needed; the injection is reachable by any anonymous HTTP request. Victim interaction (not-required): The attacker does not need to trick or wait for any user to take an action; the request can be sent directly and autonomously. Attack complexity (info): Exploit reliability is high and no special preconditions such as race conditions or specific memory layout are required.

What is the impact of CVE-2026-49076?

Reads arbitrary rows from the WordPress database, including stored user credentials (hashed passwords), email addresses, session tokens, and any customer or order data managed by JetEngine. The CVSS scope token is Changed, meaning the attacker can reach data outside the WordPress application boundary, such as other databases or tables on the same MySQL instance. Causes limited disruption to service availability, consistent with the Low availability impact score, such as degraded query performance or intermittent errors under sustained attack.

Back to search

CRITICALCVE-2026-49076Published 2026-06-17Modified 2026-06-17CNA Patchstack

CVE-2026-49076: WordPress JetEngine plugin <= 3.8.9.1 - SQL Injection vulnerability

Q: What is CVE-2026-49076?

An unauthenticated SQL injection vulnerability affects the JetEngine WordPress plugin at version 3.8.9.1 and earlier. The flaw is reachable over the network with no login required, and no victim interaction is needed to trigger it. Successful exploitation gives an attacker direct read access to the underlying database and causes minor disruption to service availability. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

Q: Is CVE-2026-49076 patched?

Because no upstream fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment Jetimpex Inc. ships a remediated release. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will trigger automatically once a fix version becomes available.

Unauthenticated SQL Injection in JetEngine <= 3.8.9.1 versions.

CVSS v3.1: 9.3
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An unauthenticated SQL injection vulnerability affects the JetEngine WordPress plugin at version 3.8.9.1 and earlier. The flaw is reachable over the network with no login required, and no victim interaction is needed to trigger it. Successful exploitation gives an attacker direct read access to the underlying database and causes minor disruption to service availability. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds, including the Patchstack advisory, within minutes of publication and matched against all customer images, including custom-built WordPress images that bundle the JetEngine plugin. Any image carrying JetEngine 3.8.9.1 or earlier is flagged automatically.

Available

Triage

HarborGuard scores this finding at CVSS 9.3 Critical and weights it against each customer organization's compliance policy before routing the alert to the appropriate team inbox. Per-environment policy configuration determines escalation priority and SLA assignment without requiring manual re-classification.

Available

Patch

Because no upstream fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment Jetimpex Inc. ships a remediated release. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will trigger automatically once a fix version becomes available.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable endpoint is exposed over the network, so an attacker must be able to reach the WordPress installation via HTTP or HTTPS.
AuthenticationNot required
No account or session credential of any kind is needed; the injection is reachable by any anonymous HTTP request.
Victim interactionNot required
The attacker does not need to trick or wait for any user to take an action; the request can be sent directly and autonomously.
Attack complexityDetail
Exploit reliability is high and no special preconditions such as race conditions or specific memory layout are required.

Blast Radius

Reads arbitrary rows from the WordPress database, including stored user credentials (hashed passwords), email addresses, session tokens, and any customer or order data managed by JetEngine.
The CVSS scope token is Changed, meaning the attacker can reach data outside the WordPress application boundary, such as other databases or tables on the same MySQL instance.
Causes limited disruption to service availability, consistent with the Low availability impact score, such as degraded query performance or intermittent errors under sustained attack.

How HarborGuard Handles This

Available on HarborGuard: any image containing JetEngine 3.8.9.1 or earlier is flagged as Critical the moment the CVE is ingested, with no manual scan trigger needed. Because no upstream patch exists, HarborGuard monitors the Patchstack advisory on every ingest cycle. The instant Jetimpex Inc. publishes a fix, a patched-image rebuild becomes available, and customers with auto-remediation enabled will receive a rebuild, a regression test run, and a PR opened against affected workloads automatically. In the meantime, compensating controls worth considering include placing a web application firewall rule in front of the affected WordPress installation to block anomalous SQL-bearing query strings, restricting network policy so the WordPress pod cannot make outbound database connections beyond its designated MySQL host, and temporarily disabling or restricting JetEngine routes via feature configuration if the plugin's dynamic query features are not in active use.

See how HarborGuard automates this

Affected packages

Jetimpex Inc. / JetEngine
≤ 3.8.9.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L

References

patchstack.com

Metrics

Get notified