CVE-2026-28134
Code Injection in Crocoblock JetEngine Allows Remote Code Inclusion
Publication date: 2026-03-05
Last updated on: 2026-03-05
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| crocoblock | jetengine | From 3.0.0 (inc) to 3.7.2 (inc) |
| crocoblock | jetengine | 3.8.1.2 |
| crocoblock | jetengine | to 3.7.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-28134 is a high-priority Remote Code Execution (RCE) vulnerability in the WordPress JetEngine plugin versions up to and including 3.7.2.
This vulnerability allows a malicious actor to execute arbitrary commands on the target website by exploiting improper control of code generation, specifically a code injection flaw.
To exploit this vulnerability, an attacker needs at least Contributor or Developer privileges on the site.
The issue is classified under the OWASP Top 10 category A3: Injection.
How can this vulnerability impact me? :
This vulnerability can have severe impacts as it allows attackers to execute arbitrary commands remotely on the affected website.
Successful exploitation can lead to attackers gaining backdoor access and full control over the site.
This could result in unauthorized data access, site defacement, data loss, or using the site as a platform for further attacks.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
CVE-2026-28134 is a Remote Code Execution vulnerability in the WordPress JetEngine plugin up to version 3.7.2. Detection typically involves monitoring for suspicious activity related to code injection or unauthorized command execution on the affected site.
While no specific detection commands are provided, users can look for unusual HTTP requests targeting the JetEngine plugin endpoints or scan logs for attempts to exploit injection vulnerabilities.
Patchstack offers an automatic mitigation rule that can help block attacks targeting this vulnerability, which may also assist in detection by logging blocked attempts.
What immediate steps should I take to mitigate this vulnerability?
The immediate and recommended mitigation step is to update the WordPress JetEngine plugin to version 3.8.1.2 or later, which contains the patch for this vulnerability.
Until the update can be applied, users of Patchstack can enable the provided automatic mitigation rule to block attacks targeting this vulnerability.
Additionally, enabling auto-updates specifically for vulnerable plugins can help ensure ongoing protection against this and similar vulnerabilities.