CVE-2026-52696: WordPress JetBlog plugin <= 2.4.8 - Sensitive Data Exposure vulnerability
Unauthenticated Sensitive Data Exposure in JetBlog <= 2.4.8 versions.
Metrics
- CVSS v3.1
- 7.5
- Severity
- HIGH
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
This is a sensitive data exposure vulnerability in the JetBlog WordPress plugin, affecting versions 2.4.8 and earlier. The vulnerability is reachable over the network without any authentication required, meaning any internet user can trigger it without needing an account or credentials. Successful exploitation allows an attacker to read sensitive data from the affected WordPress installation. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is published.
HarborGuard Coverage
Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds, including Patchstack, within minutes of publication and matched against customer images in registries and CI/CD pipelines. Coverage extends to custom-built images that bundle the JetBlog plugin, not just official upstream images.
AvailableHarborGuard scores this finding at CVSS 7.5 (HIGH) using the recorded v3.1 vector and weights it against each environment's compliance policy to determine urgency and routing. Findings are forwarded to the appropriate team inbox within each customer organization based on configured ownership rules.
AvailableNo fix version has been published for this CVE. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the upstream maintainer ships a remediated release. For customers who opt into auto-remediation, a regression-test run and a PR against affected workloads will be opened at that time.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The attacker must reach the WordPress service over the network; the AV:N vector means no local or physical access is needed.
- AuthenticationNot required
No account or credentials are needed; the vulnerability is exploitable by any unauthenticated party who can send an HTTP request to the service.
- Victim interactionNot required
No user action is required; the attacker can trigger the exposure without any victim clicking a link or performing any step.
- Attack complexityDetail
Attack complexity is low (AC:L), meaning the exploit is reliable and requires no special conditions, race timing, or environmental setup.
Blast Radius
- An attacker reads sensitive data stored or processed by the JetBlog plugin on the affected WordPress site.
- Exposed data may include configuration values, API keys, or other internal content surfaced by the plugin without an access check.
- Because confidentiality impact is rated HIGH and the attack requires no authentication, bulk automated scanning across many WordPress installations is practical.
How HarborGuard Handles This
Available on HarborGuard: this CVE is actively tracked against all customer images that bundle the JetBlog plugin, including custom-built WordPress images. Because no upstream fix exists yet, HarborGuard monitors the advisory on every ingest cycle and will make a patched-image rebuild available the moment Jetimpex Inc. publishes a remediated version. For customers who opt into auto-remediation, that rebuild will immediately trigger a regression-test run and a PR opened against affected workloads. In the interim, recommended compensating controls include network-policy rules that restrict public access to affected plugin endpoints, egress filtering to limit what the plugin can reach externally, and disabling the JetBlog plugin where its functionality is non-essential until a patch is available.
- Jetimpex Inc. / JetBlog≤ 2.4.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N