CVE-2026-49075
Deferred Deferred - Pending Action
JetEngine PHP Object Injection Vulnerability

Publication date: 2026-06-17

Last updated on: 2026-06-17

Assigner: Patchstack

Description
Contributor PHP Object Injection in JetEngine <= 3.8.9.1 versions.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-17
Last Modified
2026-06-17
Generated
2026-06-17
AI Q&A
2026-06-17
EPSS Evaluated
N/A
NVD
CVE-2026-49075
EUVD
EUVD-2026-37617
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
croco_block jetengine to 3.8.9.1 (inc)
crocal jetengine to 3.8.10 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The WordPress JetEngine Plugin, versions 3.8.9.1 and below, contains a PHP Object Injection vulnerability. This flaw allows attackers to inject malicious PHP objects into the application, potentially enabling code execution, SQL injection, path traversal, denial of service, and other harmful actions if a suitable POP (Property Oriented Programming) chain exists.

Impact Analysis

This vulnerability has a high severity with a CVSS score of 9.8, meaning it can have a critical impact. Exploitation could lead to remote code execution, unauthorized database access through SQL injection, file system access via path traversal, denial of service attacks, and other malicious activities. This puts websites using the affected plugin versions at risk of compromise, data loss, service disruption, and unauthorized control.

Mitigation Strategies

Immediate action is advised to mitigate this vulnerability.

  • Update the WordPress JetEngine plugin to version 3.8.10 or later.
  • Apply the mitigation rule provided by Patchstack to block attacks until the plugin is updated.
  • Seek assistance from your hosting provider or a developer if needed.
Compliance Impact

The vulnerability in the WordPress JetEngine Plugin allows for PHP Object Injection which can lead to code injection, SQL injection, path traversal, and denial of service attacks. Such security breaches could potentially result in unauthorized access to sensitive data or disruption of services.

Given the high severity and potential for exploitation, this vulnerability could negatively impact compliance with data protection standards and regulations such as GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and ensuring system integrity and availability.

However, the provided information does not explicitly mention the direct impact on compliance with these standards.

Detection Guidance

The provided resources do not include specific detection methods or commands to identify the PHP Object Injection vulnerability in JetEngine versions 3.8.9.1 and below.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-49075. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart