How is CVE-2026-54188 exploited?

Network reachability (required): The vulnerable plugin endpoint is exposed over the network, meaning an attacker can send a crafted request from anywhere on the internet without needing local or adjacent-network access. Authentication (not-required): No account or credentials of any kind are needed to trigger the vulnerability; the attack is available to completely anonymous users. Victim interaction (required): A victim must follow a crafted link or visit a manipulated page for the malicious script payload to execute in their browser, making social engineering a necessary step. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no special timing, race conditions, or environmental pre-conditions beyond delivering the crafted input.

What is the impact of CVE-2026-54188?

An attacker can steal session cookies or authentication tokens from the victim's browser, enabling account takeover without needing the victim's credentials. Arbitrary JavaScript execution allows the attacker to modify visible page content, redirect the victim to a phishing site, or silently submit forms on the victim's behalf. Confidential data rendered in the browser at the time of exploitation, such as personal profile details or administrative configuration, can be exfiltrated to an attacker-controlled endpoint. The injected script can degrade or disrupt the victim's experience of the affected WordPress site, consistent with the low availability impact noted in the CVSS vector.

Back to search

HIGHCVE-2026-54188Published 2026-06-17Modified 2026-06-17CNA Patchstack

CVE-2026-54188: WordPress JetEngine plugin <= 3.8.10 - Cross Site Scripting (XSS) vulnerability

Q: What is CVE-2026-54188?

This is a reflected or stored cross-site scripting (XSS) vulnerability in the JetEngine WordPress plugin, versions 3.8.10 and earlier. The flaw is reachable over the network by any unauthenticated user, but requires a victim to interact with a crafted link or page, based on the CVSS vector. Successful exploitation allows an attacker to execute arbitrary JavaScript in the victim's browser context, enabling session theft, page content manipulation, and degradation of service availability. No fix version has been published yet; HarborGuard tracks this advisory and will surface a patched-image rebuild the moment an upstream fix becomes available.

Q: Is CVE-2026-54188 patched?

Because no upstream fix version has been published, HarborGuard re-checks this advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment Jetimpex Inc. ships a remediated release. In the interim, customers with auto-remediation enabled can receive policy-driven compensating controls such as network-policy isolation recommendations surfaced alongside the open finding.

Unauthenticated Cross Site Scripting (XSS) in JetEngine <= 3.8.10 versions.

CVSS v3.1: 7.1
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

This is a reflected or stored cross-site scripting (XSS) vulnerability in the JetEngine WordPress plugin, versions 3.8.10 and earlier. The flaw is reachable over the network by any unauthenticated user, but requires a victim to interact with a crafted link or page, based on the CVSS vector. Successful exploitation allows an attacker to execute arbitrary JavaScript in the victim's browser context, enabling session theft, page content manipulation, and degradation of service availability. No fix version has been published yet; HarborGuard tracks this advisory and will surface a patched-image rebuild the moment an upstream fix becomes available.

HarborGuard Coverage

Detection

Detection capability for CVE-2026-54188 is available across every HarborGuard environment, with ingestion from upstream feeds including Patchstack occurring within minutes of publication and matching against all customer images, including custom-built WordPress images that bundle the JetEngine plugin. Any image containing JetEngine at version 3.8.10 or earlier is flagged automatically in both registry scans and CI pipeline checks.

Available

Triage

HarborGuard is capable of scoring this finding at CVSS 7.1 (HIGH) and weighting it against each customer organization's compliance policy to prioritize accordingly. Triage routing is available to direct findings to the appropriate team inbox within each customer org based on image ownership and policy configuration.

Available

Patch

Because no upstream fix version has been published, HarborGuard re-checks this advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment Jetimpex Inc. ships a remediated release. In the interim, customers with auto-remediation enabled can receive policy-driven compensating controls such as network-policy isolation recommendations surfaced alongside the open finding.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable plugin endpoint is exposed over the network, meaning an attacker can send a crafted request from anywhere on the internet without needing local or adjacent-network access.
AuthenticationNot required
No account or credentials of any kind are needed to trigger the vulnerability; the attack is available to completely anonymous users.
Victim interactionRequired
A victim must follow a crafted link or visit a manipulated page for the malicious script payload to execute in their browser, making social engineering a necessary step.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special timing, race conditions, or environmental pre-conditions beyond delivering the crafted input.

Blast Radius

An attacker can steal session cookies or authentication tokens from the victim's browser, enabling account takeover without needing the victim's credentials.
Arbitrary JavaScript execution allows the attacker to modify visible page content, redirect the victim to a phishing site, or silently submit forms on the victim's behalf.
Confidential data rendered in the browser at the time of exploitation, such as personal profile details or administrative configuration, can be exfiltrated to an attacker-controlled endpoint.
The injected script can degrade or disrupt the victim's experience of the affected WordPress site, consistent with the low availability impact noted in the CVSS vector.

How HarborGuard Handles This

Available on HarborGuard: scanning for CVE-2026-54188 is active for all images containing JetEngine at an affected version, with findings surfaced at HIGH severity (CVSS 7.1). Because no upstream patch exists as of the CVE publication date, HarborGuard monitors the Patchstack advisory feed on each ingest cycle and will make a patched-image rebuild available automatically once Jetimpex Inc. publishes a fix. For customers who opt into auto-remediation, a rebuilt image, regression-test run, and a PR opened against affected workloads will be triggered without manual intervention as soon as a fix version is confirmed. While no patch is available, recommended compensating controls include restricting public access to affected plugin endpoints via web application firewall rules or network policy, and auditing WordPress installations to confirm whether JetEngine is actively used or can be disabled. HarborGuard surfaces these compensating-control suggestions alongside the open finding for relevant environments.

See how HarborGuard automates this

Affected packages

Jetimpex Inc. / JetEngine
≤ 3.8.10

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

References

patchstack.com

Metrics

Get notified