Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Crocoblock JetEngine allows SQL Injection.

This issue affects JetEngine: from n/a through 3.8.8.1.
Published: 2026-05-25
Score: 9.3 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper neutralization of special characters within an SQL command in Crocoblock JetEngine creates a classic SQL Injection flaw. The vulnerability is a CWE-89 weakness that permits an attacker to inject arbitrary SQL statements, potentially exposing sensitive data, altering records, or deleting database contents. Because the flaw stems from unsanitized input, located in plugin code, it can be triggered by a crafted web request.

Affected Systems

WordPress installations that use the Crocoblock JetEngine plugin version 3.8.8.1 or earlier are affected. This includes any site that has not applied the 3.8.8.2 update or later. The issue is not limited to a particular WordPress version; any site maintaining the vulnerable plugin copy is at risk.

Risk and Exploitability

The CVSS score of 9.3 classifies this as critical, and the flaw can be exploited remotely through the web interface of the plugin. Although an EPSS score is not reported, the high overall severity, absence from the KEV catalog, and the ability to invoke the plugin’s database queries make it a high‑risk vulnerability. An attacker possessing sufficient access to trigger the plugin’s endpoints can achieve full database compromise without additional privileges.

Generated by OpenCVE AI on May 26, 2026 at 00:22 UTC.

Remediation

Vendor Solution

Update the WordPress JetEngine Plugin to the latest available version (at least 3.8.8.2).

OpenCVE Recommended Actions

  • Update the WordPress JetEngine plugin to version 3.8.8.2 or later.
  • Remove or disable the plugin on sites where it is not essential, or restrict access to the plugin’s administrative pages.
  • After applying the update, audit the database for any unauthorized changes and restore from a recent backup if necessary.

Generated by OpenCVE AI on May 26, 2026 at 00:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 26 May 2026 00:45:00 +0000

Type Values Removed Values Added
First Time appeared Crocoblock
Crocoblock jetengine
Wordpress
Wordpress wordpress
Vendors & Products Crocoblock
Crocoblock jetengine
Wordpress
Wordpress wordpress

Mon, 25 May 2026 23:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Crocoblock JetEngine allows SQL Injection. This issue affects JetEngine: from n/a through 3.8.8.1.
Title WordPress JetEngine plugin <= 3.8.8.1 - SQL Injection vulnerability
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L'}

Subscriptions

Crocoblock Jetengine
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-25T22:34:09.714Z

Reserved: 2026-04-29T11:42:26.336Z

Link: CVE-2026-42774

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-26T00:30:26Z

Weaknesses