How is CVE-2026-49084 exploited?

Network reachability (required): The vulnerable endpoint is exposed over the network, so an attacker must be able to reach the WordPress installation via HTTP/HTTPS from any internet-connected host. Authentication (not-required): No account or session token is needed; the SQL injection can be triggered by an anonymous, unauthenticated request. Victim interaction (not-required): The attacker sends a crafted request directly to the server; no administrator or user action is required to trigger the vulnerability. Attack complexity (info): Attack complexity is Low, meaning the exploit is reliable and requires no special conditions, race timing, or environmental setup to succeed.

What is the impact of CVE-2026-49084?

Reads arbitrary rows from the WordPress database, including stored user credentials (hashed passwords), email addresses, and any plugin or application data. Reads session tokens or nonces persisted in the database, which can enable follow-on account takeover of existing WordPress users. The A:L (Low availability) impact means the database or web process can be degraded or partially disrupted through malformed queries, causing intermittent errors for legitimate users. Because the scope token is Changed (S:C), the impact can extend beyond the WordPress application itself to other services or data sharing the same database server.

Back to search

CRITICALCVE-2026-49084Published 2026-06-17Modified 2026-06-17CNA Patchstack

CVE-2026-49084: WordPress JetEngine plugin < 3.8.9.1 - SQL Injection vulnerability

Q: What is CVE-2026-49084?

An unauthenticated SQL injection vulnerability affects the JetEngine WordPress plugin in versions before 3.8.9.1. The flaw is reachable over the network with no authentication required and no user interaction needed, making it trivially accessible to remote attackers. Successful exploitation reads data from the underlying database and can cause limited service disruption; a patched-image rebuild at version 3.8.9.1 is available on HarborGuard for environments running an affected version.

Q: How is CVE-2026-49084 fixed?

A patched-image rebuild pinned to JetEngine 3.8.9.1 becomes available on HarborGuard as soon as the fix version is confirmed in the advisory record. For customers with auto-remediation enabled, HarborGuard triggers a rebuild, runs the regression test suite against the new image, and opens a pull request against affected workloads automatically.

Unauthenticated SQL Injection in JetEngine < 3.8.9.1 versions.

CVSS v3.1: 9.3
Severity: CRITICAL
Fixed in: 3.8.9.1
Affected Products: 1

HarborGuard Analysis

Synopsis

An unauthenticated SQL injection vulnerability affects the JetEngine WordPress plugin in versions before 3.8.9.1. The flaw is reachable over the network with no authentication required and no user interaction needed, making it trivially accessible to remote attackers. Successful exploitation reads data from the underlying database and can cause limited service disruption; a patched-image rebuild at version 3.8.9.1 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds, including the Patchstack advisory, within minutes of publication and matched against customer images, including custom-built WordPress images that bundle the JetEngine plugin. Any image in a connected registry or CI pipeline carrying JetEngine below 3.8.9.1 is flagged automatically.

Available

Triage

HarborGuard scores this CVE at CVSS 9.3 (Critical) and weights findings against each customer environment's compliance policy to determine breach thresholds and escalation urgency. Triage results are routed to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

A patched-image rebuild pinned to JetEngine 3.8.9.1 becomes available on HarborGuard as soon as the fix version is confirmed in the advisory record. For customers with auto-remediation enabled, HarborGuard triggers a rebuild, runs the regression test suite against the new image, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The vulnerable endpoint is exposed over the network, so an attacker must be able to reach the WordPress installation via HTTP/HTTPS from any internet-connected host.
AuthenticationNot required
No account or session token is needed; the SQL injection can be triggered by an anonymous, unauthenticated request.
Victim interactionNot required
The attacker sends a crafted request directly to the server; no administrator or user action is required to trigger the vulnerability.
Attack complexityDetail
Attack complexity is Low, meaning the exploit is reliable and requires no special conditions, race timing, or environmental setup to succeed.

Blast Radius

Reads arbitrary rows from the WordPress database, including stored user credentials (hashed passwords), email addresses, and any plugin or application data.
Reads session tokens or nonces persisted in the database, which can enable follow-on account takeover of existing WordPress users.
The A:L (Low availability) impact means the database or web process can be degraded or partially disrupted through malformed queries, causing intermittent errors for legitimate users.
Because the scope token is Changed (S:C), the impact can extend beyond the WordPress application itself to other services or data sharing the same database server.

How HarborGuard Handles This

Available on HarborGuard: detection fires within minutes of ingesting the Patchstack advisory and flags any image containing JetEngine below 3.8.9.1 across all connected registries and pipelines, including internally built WordPress images. The rebuilt image at version 3.8.9.1 is made available immediately upon advisory confirmation. For customers with auto-remediation enabled, HarborGuard performs the rebuild, executes a regression run, and opens a pull request against affected workloads; for Critical-severity findings, the median time from CVE publication to a merged patch PR in auto-remediation environments is around 90 minutes. Where compliance policy requires manual approval, the triage card is routed to the designated owner inbox with the CVSS 9.3 score and scope-change flag highlighted to support rapid review.

See how HarborGuard automates this

Fix available

3.8.9.1

Affected packages

Jetimpex Inc. / JetEngine
< 3.8.9.1 (from n/a)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L

References

patchstack.com

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available