How is CVE-2026-52706 exploited?

Network reachability (required): The vulnerable endpoint is exposed over the network, meaning an attacker can reach it from any internet-routable address without requiring a foothold on the host. Authentication (not-required): No account or session token of any privilege level is needed; the injection point is accessible to anonymous HTTP requests. Victim interaction (not-required): The attack is fully server-side and requires no action from any user or administrator to trigger deserialization. Attack complexity (info): Exploitation is reliable and condition-free once a PHP gadget chain is identified in the target environment; no race condition or special memory layout is required.

What is the impact of CVE-2026-52706?

A successful attacker can execute arbitrary PHP code on the server, gaining full control of the WordPress application and its underlying host process. All data stored in the WordPress database, including user credentials, session tokens, and any customer records managed by JetEngine, is readable by the attacker. The attacker can modify or delete database rows, posts, plugin configuration, and any file writable by the web server process. The attacker can crash or make the affected service unavailable by corrupting application state or exhausting server resources.

Back to search

CRITICALCVE-2026-52706Published 2026-06-17Modified 2026-06-17CNA Patchstack

CVE-2026-52706: WordPress JetEngine plugin <= 3.8.10 - PHP Object Injection vulnerability

Q: What is CVE-2026-52706?

PHP Object Injection is an unauthenticated remote code execution class of vulnerability affecting the JetEngine WordPress plugin at version 3.8.10 and below. An attacker can reach the vulnerable deserialization point directly over the network without any credentials or user interaction. Successful exploitation gives the attacker full control over confidentiality, integrity, and availability of the affected system, up to and including arbitrary code execution when a suitable PHP gadget chain is present. HarborGuard is tracking the upstream advisory and will make a patched-image rebuild available the moment a fix version is published.

Q: Is CVE-2026-52706 patched?

Because no fix version has been published upstream, HarborGuard re-checks the Patchstack advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a remediated release is confirmed. For customers with auto-remediation enabled, the rebuild, regression-test run, and PR against affected workloads will be initiated without manual intervention once a safe version is available.

Unauthenticated PHP Object Injection in JetEngine <= 3.8.10 versions.

CVSS v3.1: 9.8
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

PHP Object Injection is an unauthenticated remote code execution class of vulnerability affecting the JetEngine WordPress plugin at version 3.8.10 and below. An attacker can reach the vulnerable deserialization point directly over the network without any credentials or user interaction. Successful exploitation gives the attacker full control over confidentiality, integrity, and availability of the affected system, up to and including arbitrary code execution when a suitable PHP gadget chain is present. HarborGuard is tracking the upstream advisory and will make a patched-image rebuild available the moment a fix version is published.

HarborGuard Coverage

Detection

Detection for CVE-2026-52706 is available across every HarborGuard environment; the CVE is ingested from upstream feeds including Patchstack within minutes of publication and matched against customer images in registries and CI/CD pipelines, covering custom-built images that bundle the JetEngine plugin. Any image carrying JetEngine at or below version 3.8.10 is flagged automatically.

Available

Triage

HarborGuard scores this CVE at 9.8 CRITICAL using the published CVSS v3.1 vector and weights it against each environment's compliance policy to determine urgency and routing. Triage findings are available for delivery to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

Because no fix version has been published upstream, HarborGuard re-checks the Patchstack advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a remediated release is confirmed. For customers with auto-remediation enabled, the rebuild, regression-test run, and PR against affected workloads will be initiated without manual intervention once a safe version is available.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable endpoint is exposed over the network, meaning an attacker can reach it from any internet-routable address without requiring a foothold on the host.
AuthenticationNot required
No account or session token of any privilege level is needed; the injection point is accessible to anonymous HTTP requests.
Victim interactionNot required
The attack is fully server-side and requires no action from any user or administrator to trigger deserialization.
Attack complexityDetail
Exploitation is reliable and condition-free once a PHP gadget chain is identified in the target environment; no race condition or special memory layout is required.

Blast Radius

A successful attacker can execute arbitrary PHP code on the server, gaining full control of the WordPress application and its underlying host process.
All data stored in the WordPress database, including user credentials, session tokens, and any customer records managed by JetEngine, is readable by the attacker.
The attacker can modify or delete database rows, posts, plugin configuration, and any file writable by the web server process.
The attacker can crash or make the affected service unavailable by corrupting application state or exhausting server resources.

How HarborGuard Handles This

Available on HarborGuard: detection for this critical unauthenticated PHP Object Injection is active across all customer environments, matching images that include JetEngine at or below version 3.8.10. Because no upstream fix has been published yet, HarborGuard monitors the Patchstack advisory on every ingest cycle. In the interim, compensating controls worth evaluating include web-application firewall rules that block or sanitize serialized PHP payloads at the edge, network-policy isolation that restricts inbound HTTP access to the WordPress container to known trusted sources, and egress filtering to limit outbound connections from the web server process in case a gadget chain attempts a callback. Where compliance policy permits, as soon as Jetimpex Inc. ships a patched release, HarborGuard will make a rebuilt image available and customers with auto-remediation enabled will receive a regression-test run and a PR opened against affected workloads automatically.

See how HarborGuard automates this

Affected packages

Jetimpex Inc. / JetEngine
≤ 3.8.10

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

patchstack.com

Metrics

Get notified