Plattform
wordpress
Komponente
jet-engine
Behoben in
3.7.3
CVE-2026-28134 describes a Remote Code Execution (RCE) vulnerability within Crocoblock JetEngine, a WordPress plugin. This flaw, classified as Improper Control of Generation of Code (Code Injection), allows attackers to achieve Remote Code Inclusion. The vulnerability impacts versions of JetEngine from 0.0.0 up to and including 3.7.2, and a fix is available in version 3.8.1.2.
The impact of this RCE vulnerability is significant. A successful exploit allows an attacker to inject and execute arbitrary code on the affected WordPress site. This could lead to complete system compromise, including data theft, modification, or deletion. Attackers could potentially gain administrative access, install malware, or use the compromised site as a launchpad for further attacks against other systems on the network. The ability to achieve Remote Code Inclusion bypasses typical security controls, making it a particularly dangerous vulnerability.
CVE-2026-28134 was publicly disclosed on 2026-03-05. The vulnerability's nature, allowing Remote Code Inclusion, suggests a potentially high exploitation probability. While no public proof-of-concept (PoC) has been confirmed at the time of writing, the severity and ease of exploitation (once a PoC is available) could lead to active exploitation campaigns. Monitor security advisories and threat intelligence feeds for updates.
WordPress websites utilizing Crocoblock JetEngine, particularly those with publicly accessible file upload functionalities or those running older, unpatched versions of the plugin, are at significant risk. Shared hosting environments where multiple websites share the same server resources are also more vulnerable, as a compromise of one site could potentially lead to the compromise of others.
• wordpress / composer / npm:
grep -r "jet-engine/includes/class-jet-engine.php" . • wordpress / composer / npm:
wp plugin list --status=inactive | grep jetengine• wordpress / composer / npm:
wp plugin update --alldisclosure
Exploit-Status
EPSS
0.05% (16% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-28134 is to immediately upgrade JetEngine to version 3.8.1.2 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing temporary workarounds. These may include restricting file access permissions within the WordPress environment and carefully reviewing any user-supplied input to prevent code injection attempts. Web Application Firewalls (WAFs) configured to detect and block Remote Code Inclusion attempts can also provide a layer of protection. After upgrading, confirm the fix by attempting to trigger the vulnerable functionality and verifying that the code execution is blocked.
Aktualisieren Sie auf Version 3.8.1.2 oder eine neuere gepatchte Version
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-28134 is a Remote Code Execution vulnerability in Crocoblock JetEngine, allowing attackers to execute arbitrary code on a WordPress website. It has a CVSS score of 8.5 (HIGH).
You are affected if you are using JetEngine versions 0.0.0 through 3.7.2. Check your plugin version and upgrade immediately if necessary.
Upgrade JetEngine to version 3.8.1.2 or later. If upgrading is not possible, temporarily disable the plugin.
There is currently no confirmed active exploitation, but the RCE nature of the vulnerability makes it a high-priority target.
Refer to the Crocoblock website and their security advisory page for the latest information and updates regarding CVE-2026-28134.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.