Scan free
HIGHCVE-2026-28134CVSS 8.5

CVE-2026-28134: RCE in Crocoblock JetEngine

Platform

wordpress

Component

jet-engine

Fixed in

3.7.3

AI Confidence: highNVDEPSS 0.1%Reviewed: May 2026
View on NVD
Save

CVE-2026-28134 describes a Remote Code Execution (RCE) vulnerability within Crocoblock JetEngine, a WordPress plugin. This flaw, classified as Improper Control of Generation of Code (Code Injection), allows attackers to achieve Remote Code Inclusion. The vulnerability impacts versions of JetEngine from 0.0.0 up to and including 3.7.2, and a fix is available in version 3.8.1.2.

WordPress

Detect this CVE in your project

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan free

Impact and Attack Scenarios

The impact of this RCE vulnerability is significant. An attacker exploiting this flaw can achieve Remote Code Inclusion, effectively executing arbitrary code on the affected WordPress website. This could lead to complete system compromise, including data exfiltration, malware installation, and defacement. The attacker could potentially gain control of the entire WordPress instance, impacting all connected services and data. Given JetEngine's functionality as a plugin extending WordPress capabilities, the potential attack surface is broad, and the blast radius could extend to any sensitive data or functionality reliant on the plugin.

Exploitation Context

CVE-2026-28134 was publicly disclosed on 2026-03-05. Currently, there is no indication of active exploitation in the wild, but the RCE nature of the vulnerability makes it a high-priority target. Public proof-of-concept (PoC) code is likely to emerge, increasing the risk of exploitation. This vulnerability is not currently listed on the CISA KEV catalog.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh
Reports1 threat report

EPSS

0.05% (16% percentile)

CISA SSVC

Exploitationnone
Automatableno
Technical Impacttotal

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H8.5HIGHAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityHighConditions required to exploitPrivileges RequiredLowAuthentication level needed to attackUser InteractionNoneWhether a victim must take actionScopeChangedImpact beyond the vulnerable componentConfidentialityHighRisk of sensitive data exposureIntegrityHighRisk of unauthorized data modificationAvailabilityHighRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
High — requires a race condition, non-default configuration, or specific circumstances. Harder to exploit reliably.
Privileges Required
Low — any valid user account is sufficient. Basic authenticated access required.
User Interaction
None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope
Changed — successful attack can pivot beyond the vulnerable component to other systems or the host OS.
Confidentiality
High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
Integrity
High — attacker can write, modify, or delete any data: databases, config files, or code.
Availability
High — complete crash or resource exhaustion. Full denial of service.

Affected Software

Componentjet-engine
Vendorwordfence
Affected rangeFixed in
0 – 3.7.23.7.3

Weakness Classification (CWE)

CWE-94

Timeline

  1. Reserved
  2. Published
  3. Modified
  4. EPSS updated

Mitigation and Workarounds

The primary mitigation for CVE-2026-28134 is to immediately upgrade JetEngine to version 3.8.1.2 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling the JetEngine plugin to reduce the attack surface. While not a complete solution, implementing strict input validation and sanitization on any user-supplied data processed by JetEngine can help reduce the risk. Monitor WordPress access logs for suspicious activity, particularly attempts to include external files or execute unusual commands.

How to fix

Update to version 3.8.1.2, or a newer patched version

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2026-28134 — RCE in Crocoblock JetEngine?

CVE-2026-28134 is a Remote Code Execution vulnerability in Crocoblock JetEngine, allowing attackers to execute arbitrary code on a WordPress website. It has a CVSS score of 8.5 (HIGH).

Am I affected by CVE-2026-28134 in Crocoblock JetEngine?

You are affected if you are using JetEngine versions 0.0.0 through 3.7.2. Check your plugin version and upgrade immediately if necessary.

How do I fix CVE-2026-28134 in Crocoblock JetEngine?

Upgrade JetEngine to version 3.8.1.2 or later. If upgrading is not possible, temporarily disable the plugin.

Is CVE-2026-28134 being actively exploited?

There is currently no confirmed active exploitation, but the RCE nature of the vulnerability makes it a high-priority target.

Where can I find the official Crocoblock advisory for CVE-2026-28134?

Refer to the Crocoblock website and their security advisory page for the latest information and updates regarding CVE-2026-28134.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs