How is CVE-2026-49079 exploited?

Network reachability (required): The attacker must be able to send HTTP requests to the target WordPress site over the network; no local or physical access is needed. Authentication (not-required): No account or credentials of any kind are needed; the vulnerable endpoint is fully accessible to unauthenticated users. Victim interaction (not-required): The attacker sends crafted requests directly to the server; no user action or social engineering is involved. Attack complexity (info): Exploitation is reliable and condition-free, requiring no race conditions, special memory layout, or environmental setup beyond network access to the target.

What is the impact of CVE-2026-49079?

Reads arbitrary database contents, including WordPress user records, password hashes, stored session tokens, and any customer or application data held in the database. Reads plugin and site configuration data that may expose credentials or API keys stored in the database, enabling further compromise of connected services. Causes minor disruption to the affected service through resource consumption incurred by injected queries.

Back to search

CRITICALCVE-2026-49079Published 2026-06-17Modified 2026-06-17CNA Patchstack

CVE-2026-49079: WordPress JetSearch plugin <= 3.5.17 - SQL Injection vulnerability

Q: What is CVE-2026-49079?

An unauthenticated SQL injection vulnerability affects the WordPress JetSearch plugin at version 3.5.17 and earlier. The flaw is reachable over the network with no authentication required, making it exploitable by any remote party that can send HTTP requests to a WordPress site running the plugin. Successful exploitation gives an attacker read access to the underlying database contents and causes minor service disruption. No fix version has been published; HarborGuard tracks the advisory and will make a patched rebuild available as soon as an upstream fix is released.

Q: Is CVE-2026-49079 patched?

Because no fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment an upstream fix is released. In the meantime, compensating controls such as network-policy isolation for affected WordPress workloads and web application firewall rules targeting SQL injection patterns can be configured within each customer environment.

Unauthenticated SQL Injection in JetSearch <= 3.5.17 versions.

CVSS v3.1: 9.3
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An unauthenticated SQL injection vulnerability affects the WordPress JetSearch plugin at version 3.5.17 and earlier. The flaw is reachable over the network with no authentication required, making it exploitable by any remote party that can send HTTP requests to a WordPress site running the plugin. Successful exploitation gives an attacker read access to the underlying database contents and causes minor service disruption. No fix version has been published; HarborGuard tracks the advisory and will make a patched rebuild available as soon as an upstream fix is released.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images, including custom-built WordPress images that bundle the JetSearch plugin. Any image found to carry an affected version of JetSearch (3.5.17 or earlier) is flagged immediately in the pipeline.

Available

Triage

HarborGuard scores this vulnerability at CVSS 9.3 (Critical) and surfaces it accordingly, with per-environment compliance policy weighting applied to prioritize routing within each customer org. Triage findings are delivered to the inbox or ticketing integration configured for the affected workload's owner.

Available

Patch

Because no fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment an upstream fix is released. In the meantime, compensating controls such as network-policy isolation for affected WordPress workloads and web application firewall rules targeting SQL injection patterns can be configured within each customer environment.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must be able to send HTTP requests to the target WordPress site over the network; no local or physical access is needed.
AuthenticationNot required
No account or credentials of any kind are needed; the vulnerable endpoint is fully accessible to unauthenticated users.
Victim interactionNot required
The attacker sends crafted requests directly to the server; no user action or social engineering is involved.
Attack complexityDetail
Exploitation is reliable and condition-free, requiring no race conditions, special memory layout, or environmental setup beyond network access to the target.

Blast Radius

Reads arbitrary database contents, including WordPress user records, password hashes, stored session tokens, and any customer or application data held in the database.
Reads plugin and site configuration data that may expose credentials or API keys stored in the database, enabling further compromise of connected services.
Causes minor disruption to the affected service through resource consumption incurred by injected queries.

How HarborGuard Handles This

Available on HarborGuard: this CVE is matched against all customer images on every scan cycle, covering both images pulled from public registries and custom-built WordPress images. Because no upstream fix exists yet, HarborGuard monitors the Patchstack advisory on each ingest pass and will make a patched-image rebuild available automatically the moment a fix version is published. For customers with auto-remediation enabled, that rebuild triggers a regression test run and a PR opened against affected workloads, with a median time from CVE publication to merged patch PR of around 90 minutes for critical-severity issues once an upstream fix exists. While no patch is available, recommended compensating controls include applying network policy to restrict public access to affected WordPress instances where feasible, deploying WAF rules that block SQL injection patterns on the affected plugin's endpoints, and auditing database user privileges to limit the data accessible through a successful injection.

See how HarborGuard automates this

Affected packages

Jetimpex Inc. / JetSearch
≤ 3.5.17

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L

References

patchstack.com

Metrics

Get notified