External risk intelligence

JetEngine PHP Object Injection Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-49075

A critical PHP object injection vulnerability exists in JetEngine, a WordPress plugin. If reachable, an unauthenticated attacker could inject and execute arbitrary PHP code, potentially compromising system data and integrity. This vulnerability could allow remote code execution and impact website security.

Deserialization

Halo Surface Signal

Likely · external exposure

4Halo Surface Signal

The vulnerability affects a WordPress plugin, which is typically deployed as part of a public-facing web application. Since web applications are commonly exposed to the internet to serve content and functionality, the vulnerable code path is frequently reachable by external users.

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability exists within a widely used WordPress plugin, potentially allowing unauthorized code execution. This could pose a significant risk if exploited, impacting the integrity and availability of affected systems. The primary concern is to verify if this plugin is in use and assess any exposure.

  • Allows attackers to run code remotely.
  • Matters for website security and data integrity.
  • Confirm plugin use and assess potential exposure.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this vulnerability by sending specially crafted requests over the network to a vulnerable JetEngine installation. If successful, this could allow them to inject and execute arbitrary PHP code, potentially leading to a full compromise of the affected website.

  • Entry condition: Unauthenticated network access.
  • Trigger point: Specially crafted network requests.
  • Resulting risk: Arbitrary code execution and site compromise.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an unauthenticated attacker to inject malicious PHP objects into the system. This could lead to the compromise of data and the modification of system behavior when the plugin is processed in specific ways.

  • System data could be compromised.
  • Unauthenticated access can trigger injection.
  • System integrity may be affected.

Operational Fix

Recommended remediation, mitigation, and detection steps

This critical PHP Object Injection vulnerability in JetEngine could impact any organization using the plugin. The first step is for the application owner or platform team to identify all instances of JetEngine, assess their business criticality and external reachability, and confirm the responsible party for remediation. Coordination with the vendor for a fix or mitigation plan should follow.

  • Application owners should drive remediation.
  • Verify external reachability and business criticality.
  • Plan vendor coordination and apply mitigations.

Supplementary metadata

PCI scan relevance

Yes

CVE-2026-49075 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

PHP Object Injection in JetEngine could allow an unauthenticated attacker to execute arbitrary code, potentially leading to a PCI ASV scan failure.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Free EASM Trial See How Signal Works

Frequently asked questions

What is the JetEngine plugin?

JetEngine is a popular WordPress plugin used to add dynamic functionality to websites, such as custom post types, metadata fields, and complex data structures. It acts as a site-building toolkit that allows administrators to manage and display custom content types efficiently without needing extensive manual coding.

What does PHP object injection mean in CVE-2026-49075?

This vulnerability is classified as CWE-502, which occurs when software takes untrusted data and uses it to create an object without sufficient validation. Because JetEngine handles this data improperly, an attacker can supply specially crafted inputs that the server treats as executable commands. This fundamentally breaks the boundary between data and code, potentially allowing the attacker to alter site behavior or take control of the application.

How does an attacker trigger this vulnerability?

An attacker triggers this by sending a specially crafted network request to the web server hosting the vulnerable plugin. This process does not require any prior authentication or special user privileges. It is important to note that simply visiting the website normally or interacting with standard features will not trigger this issue; the request must be specifically engineered to inject the malicious data object that the plugin processes incorrectly.

Is my website at risk from this CVE?

Halo Surface Signal indicates that because this is a WordPress plugin, it is often part of a public-facing web application. Since these applications are frequently connected to the internet to serve content, the vulnerable code is likely reachable by external parties. If your site uses an affected version and is accessible over the network, it should be considered at risk, as the attack vector is remote and does not require local system access.

What should I do first to manage this issue?

The immediate priority is to conduct an inventory to identify every instance of the JetEngine plugin running within your environment. Once you have identified all installations, determine which ones are exposed to the internet and categorize them by their business importance. Do not wait for evidence of an attack; coordinate with your technical teams to track vendor updates and prepare to apply the necessary patches or mitigations to secure your infrastructure.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished