How is CVE-2026-54189 exploited?

Network reachability (required): The attacker must reach the target WordPress installation over the network; there is no local or physical access requirement. Authentication (not-required): No account or credentials on the target site are needed to deliver the malicious payload. Victim interaction (required): A victim (typically a logged-in user or administrator) must click a crafted link or visit a malicious page for the injected script to execute in their browser. Attack complexity (info): The exploit is reliable and condition-free once the victim is social-engineered; no race conditions or special environmental factors are required.

What is the impact of CVE-2026-54189?

An attacker can steal the victim's session cookie or authentication token and replay it to act as that user, including as an administrator. Arbitrary JavaScript running in the victim's browser can read and exfiltrate any data visible on the page, such as personal information or site configuration details. The injected script can modify page content the victim sees, redirecting form submissions or displaying fraudulent content. Browser-side disruption can degrade or break the page's functionality for the victim during the session.

Back to search

HIGHCVE-2026-54189Published 2026-06-17Modified 2026-06-17CNA Patchstack

CVE-2026-54189: WordPress JetEngine plugin <= 3.8.10 - Cross Site Scripting (XSS) vulnerability

Q: What is CVE-2026-54189?

A reflected or stored cross-site scripting (XSS) vulnerability exists in the JetEngine WordPress plugin at version 3.8.10 and earlier. The flaw is reachable over the network without authentication, but requires a victim to interact with a crafted link or page, which classifies it as a social-engineering-dependent attack. Successful exploitation allows an attacker to inject and run arbitrary JavaScript in the victim's browser, enabling session theft, content modification, and limited disruption of the affected page. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

Q: Is CVE-2026-54189 patched?

Because no fix version has been published for CVE-2026-54189, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. For customers with auto-remediation enabled, that rebuild will trigger a regression test run and open a PR against affected workloads without manual intervention.

Unauthenticated Cross Site Scripting (XSS) in JetEngine <= 3.8.10 versions.

CVSS v3.1: 7.1
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

A reflected or stored cross-site scripting (XSS) vulnerability exists in the JetEngine WordPress plugin at version 3.8.10 and earlier. The flaw is reachable over the network without authentication, but requires a victim to interact with a crafted link or page, which classifies it as a social-engineering-dependent attack. Successful exploitation allows an attacker to inject and run arbitrary JavaScript in the victim's browser, enabling session theft, content modification, and limited disruption of the affected page. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection of CVE-2026-54189 is available across every HarborGuard environment: the CVE is ingested from upstream feeds, including the Patchstack advisory, within minutes of publication and matched against customer images, including custom-built images that bundle the JetEngine plugin. No manual configuration is required to enable this matching.

Available

Triage

HarborGuard is capable of scoring this CVE at CVSS 7.1 (HIGH) and weighting findings against each customer environment's compliance policy to determine urgency. Triage routing routes the finding to the appropriate team inbox within the customer org based on configured ownership rules.

Available

Patch

Because no fix version has been published for CVE-2026-54189, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. For customers with auto-remediation enabled, that rebuild will trigger a regression test run and open a PR against affected workloads without manual intervention.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the target WordPress installation over the network; there is no local or physical access requirement.
AuthenticationNot required
No account or credentials on the target site are needed to deliver the malicious payload.
Victim interactionRequired
A victim (typically a logged-in user or administrator) must click a crafted link or visit a malicious page for the injected script to execute in their browser.
Attack complexityDetail
The exploit is reliable and condition-free once the victim is social-engineered; no race conditions or special environmental factors are required.

Blast Radius

An attacker can steal the victim's session cookie or authentication token and replay it to act as that user, including as an administrator.
Arbitrary JavaScript running in the victim's browser can read and exfiltrate any data visible on the page, such as personal information or site configuration details.
The injected script can modify page content the victim sees, redirecting form submissions or displaying fraudulent content.
Browser-side disruption can degrade or break the page's functionality for the victim during the session.

How HarborGuard Handles This

Available on HarborGuard: detection of CVE-2026-54189 is active for any image containing JetEngine 3.8.10 or earlier, with findings scored at CVSS 7.1 (HIGH) and routed according to each customer's compliance policy. Because no upstream fix exists at this time, the recommended compensating controls include network-policy isolation that restricts untrusted input paths to the JetEngine plugin, egress filtering to limit what a compromised browser session can reach, and disabling any JetEngine features that accept and render user-supplied input until a patch is available. HarborGuard monitors the Patchstack advisory on every ingest cycle; once a fix version is published, a patched-image rebuild becomes available automatically, and customers with auto-remediation enabled will receive a rebuild, a regression-test run, and a PR opened against affected workloads.

See how HarborGuard automates this

Affected packages

Jetimpex Inc. / JetEngine
≤ 3.8.10

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

References

patchstack.com

Metrics

Get notified