CVE-2026-54187: WordPress JetEngine plugin <= 3.8.10.1 - SQL Injection vulnerability
Unauthenticated SQL Injection in JetEngine <= 3.8.10.1 versions.
Metrics
- CVSS v3.1
- 9.3
- Severity
- CRITICAL
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
An unauthenticated SQL injection vulnerability affects the JetEngine WordPress plugin at version 3.8.10.1 and earlier. The flaw is reachable over the network and requires no login or user interaction, derived from a CVSS 9.3 vector with network attack surface and no privilege requirement. Successful exploitation allows an attacker to read sensitive data from the underlying database and cause limited service disruption. No upstream fix has been published yet; HarborGuard tracks the advisory and will make a patched-image rebuild available the moment a fix is released.
HarborGuard Coverage
Detection of CVE-2026-54187 is available across every HarborGuard environment; the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images in connected registries and CI pipelines, including custom-built WordPress images that bundle JetEngine.
AvailableHarborGuard is capable of scoring this finding at CVSS 9.3 (Critical) and weighting it against each customer environment's compliance policy to determine urgency; findings are then routed to the appropriate team inbox within each customer organization based on configured ownership rules.
AvailableBecause no upstream fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment Jetimpex Inc. ships a corrected release. Customers with auto-remediation enabled will receive the rebuild, a regression-test run, and a pull request opened against affected workloads without manual intervention.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The attacker must be able to reach the WordPress service over the network; no local or physical access is required.
- AuthenticationNot required
No account or session credential of any privilege level is needed to trigger the injection.
- Victim interactionNot required
The attack is fully server-side; no user needs to click a link, visit a page, or take any other action.
- Attack complexityDetail
The exploit is reliable and condition-free, requiring no race-condition timing, specific memory layout, or environmental precondition.
Blast Radius
- An attacker reads arbitrary rows from the WordPress database, including stored user credentials, session tokens, and any customer or form data held in plugin tables.
- Because scope is Changed in the CVSS vector, data from database tables outside the plugin's own scope, such as wp_users and other core tables, is also reachable.
- The availability impact is Low, meaning the attacker can cause intermittent query errors or minor slowdowns, though full service shutdown is not within the established impact range.
How HarborGuard Handles This
Available on HarborGuard: as soon as Jetimpex Inc. publishes a fix release, a patched-image rebuild will become available and customers with auto-remediation enabled will receive a rebuild, a regression-test run, and a PR opened against affected workloads automatically. In the interim, HarborGuard re-evaluates the advisory on every ingest cycle so no manual monitoring is required. While no patch exists, compensating controls worth considering include network-policy rules that restrict public access to affected WordPress endpoints, web application firewall rules targeting SQL metacharacter patterns in JetEngine request parameters, and feature-flag or plugin-level disabling of JetEngine on instances that do not strictly require it.
- Jetimpex Inc. / JetEngine≤ 3.8.10.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L