Platform
wordpress
Component
jet-engine
Fixed in
3.7.3
CVE-2026-28134 describes a Remote Code Execution (RCE) vulnerability within Crocoblock JetEngine, a WordPress plugin. This flaw, classified as Improper Control of Generation of Code (Code Injection), allows attackers to achieve Remote Code Inclusion. The vulnerability impacts versions of JetEngine from 0.0.0 up to and including 3.7.2, and a fix is available in version 3.8.1.2.
The impact of this RCE vulnerability is significant. An attacker exploiting this flaw can achieve Remote Code Inclusion, effectively executing arbitrary code on the affected WordPress website. This could lead to complete system compromise, including data exfiltration, malware installation, and defacement. The attacker could potentially gain control of the entire WordPress instance, impacting all connected services and data. Given JetEngine's functionality as a plugin extending WordPress capabilities, the potential attack surface is broad, and the blast radius could extend to any sensitive data or functionality reliant on the plugin.
CVE-2026-28134 was publicly disclosed on 2026-03-05. Currently, there is no indication of active exploitation in the wild, but the RCE nature of the vulnerability makes it a high-priority target. Public proof-of-concept (PoC) code is likely to emerge, increasing the risk of exploitation. This vulnerability is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.05% (16% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-28134 is to immediately upgrade JetEngine to version 3.8.1.2 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling the JetEngine plugin to reduce the attack surface. While not a complete solution, implementing strict input validation and sanitization on any user-supplied data processed by JetEngine can help reduce the risk. Monitor WordPress access logs for suspicious activity, particularly attempts to include external files or execute unusual commands.
Update to version 3.8.1.2, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-28134 is a Remote Code Execution vulnerability in Crocoblock JetEngine, allowing attackers to execute arbitrary code on a WordPress website. It has a CVSS score of 8.5 (HIGH).
You are affected if you are using JetEngine versions 0.0.0 through 3.7.2. Check your plugin version and upgrade immediately if necessary.
Upgrade JetEngine to version 3.8.1.2 or later. If upgrading is not possible, temporarily disable the plugin.
There is currently no confirmed active exploitation, but the RCE nature of the vulnerability makes it a high-priority target.
Refer to the Crocoblock website and their security advisory page for the latest information and updates regarding CVE-2026-28134.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.