External risk intelligence

JetEngine Unauthenticated PHP Object Injection Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-52706

A critical vulnerability exists in JetEngine that could allow unauthenticated attackers to inject PHP code over the network. If reachable, this could lead to arbitrary code execution on the server, impacting website data and integrity. Confirming if JetEngine is in use and exposed is essential to assess and address pot

Deserialization

Halo Surface Signal

Likely · external exposure

4Halo Surface Signal

JetEngine is a popular WordPress plugin used to build dynamic websites and web interfaces. Such plugins are typically installed on web servers that are intentionally exposed to the public internet to serve content and functionality to end users, making the vulnerable component commonly internet-facing by deployment design.

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability exists in the JetEngine software, potentially allowing unauthenticated attackers to inject malicious code over the network. This issue could permit broad system compromise if exploited. The main concern at this time is confirming relevance and exposure within our environment.

  • Unauthenticated code injection is a serious threat.
  • Widely used plugin; exposure is a key concern.
  • Confirm if this software is in use; assess impact.

Attack Path

How an attacker could exploit the issue

An unauthenticated attacker can exploit this vulnerability by sending specially crafted data to a vulnerable JetEngine installation. This malicious data, when processed by the plugin, can lead to the injection of arbitrary PHP objects. If the application is susceptible, this could allow an attacker to execute arbitrary code on the server.

  • No authentication required.
  • Triggered by data sent to the plugin.
  • Allows for arbitrary code execution.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could impact the integrity and confidentiality of a website by allowing an unauthenticated attacker to inject malicious PHP code. This could lead to unauthorized access to or modification of website content and potentially other server-side resources when the vulnerable component is accessible via the network.

  • Website data and integrity.
  • Unauthenticated network access.
  • Site compromise and data exposure.

Operational Fix

Recommended remediation, mitigation, and detection steps

Unauthenticated PHP Object Injection in JetEngine affects WordPress sites, making them vulnerable to remote code execution. This impacts application owners responsible for the WordPress instance, platform teams managing the hosting environment, and security teams overseeing network exposure. The immediate first step is to inventory all JetEngine installations, confirm their exposure and business criticality, and then identify the accountable owner for remediation.

  • Application owners should address the issue.
  • Verify plugin presence and internet exposure.
  • Plan remediation based on identified risk.

Supplementary metadata

PCI scan relevance

Yes

CVE-2026-52706 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This vulnerability is considered a critical security flaw that would likely cause a PCI ASV scan to fail due to its potential for unauthorized access and code execution.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Free EASM Trial See How Signal Works

Frequently asked questions

What is the JetEngine plugin used for?

JetEngine is a widely used WordPress plugin designed for building dynamic websites and complex web interfaces. It allows administrators to create custom post types, taxonomies, and meta fields without writing manual code. Because it handles significant site structure and content display, it is often a core component of the WordPress ecosystem, typically running on web servers that are publicly accessible to deliver content to visitors.

How does CVE-2026-52706 function as an object injection vulnerability?

This vulnerability is classified as CWE-502, which occurs when an application deserializes untrusted data without sufficient validation. In the context of this CVE, the plugin incorrectly processes input, allowing an attacker to inject malicious PHP objects. When the server reconstructs these objects, it can lead to unintended code execution, effectively granting an attacker the ability to run unauthorized commands on the underlying server.

Do I need to be logged in for an attacker to trigger this bug?

No, this vulnerability does not require any user authentication. An attacker can initiate the attack by sending a specially crafted request containing malicious data directly to the vulnerable JetEngine installation over the network. If the plugin's processing logic is reachable, the injection can occur automatically. The vulnerability is triggered by the plugin's handling of external input, rather than requiring an existing session or administrative credentials.

Why should I care about my exposure to this JetEngine vulnerability?

According to Halo Surface Signal, JetEngine is frequently used on web servers intentionally exposed to the public internet to serve site functionality. Because this vulnerability allows for unauthenticated remote access, any instance directly reachable from the internet faces a significantly higher risk of compromise. You should prioritize assets where this plugin is active and internet-facing, as these represent the most accessible pathways for a potential attacker.

What is the first step to take if I run JetEngine?

Your priority is to establish an inventory of all WordPress sites within your environment to confirm where the JetEngine plugin is currently installed. Once you have identified these instances, determine which are accessible via the internet and categorize them by business criticality. Assign an accountable owner to each identified installation so that you are prepared to apply necessary security updates or configuration changes once they are finalized.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished