Description
The JetEngine plugin for WordPress is vulnerable to SQL Injection via the Custom Content Type (CCT) REST API search endpoint in all versions up to, and including, 3.8.6.1. This is due to the `_cct_search` parameter being interpolated directly into a SQL query string via `sprintf()` without sanitization or use of `$wpdb->prepare()`. WordPress REST API's `wp_unslash()` call on `$_GET` strips the `wp_magic_quotes()` protection, allowing single-quote-based injection. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. The Custom Content Types module must be enabled with at least one CCT configured with a public REST GET endpoint for exploitation.
Published: 2026-04-14
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection leading to data exposure
Action: Patch Immediately
AI Analysis

Impact

The JetEngine plugin for WordPress is susceptible to an unauthenticated SQL injection flaw in the Custom Content Type REST API search endpoint. The internal use of sprintf() to build a query string from the _cct_search parameter without sanitization or prepared statements allows an attacker to inject arbitrary SQL that is appended to the originating query. This can result in the unrestricted extraction of sensitive database content. The weakness is a classic input validation flaw, categorized as CWE-89. The CVSS score of 7.5 indicates a high severity impact for confidentiality and integrity.

Affected Systems

The affected product is the Crocoblock JetEngine plugin for WordPress. All releases up to and including 3.8.6.1 are vulnerable. Exploitation requires that the Custom Content Types module be enabled and that at least one content type exposes a public REST GET endpoint. Users running these configurations are at risk.

Risk and Exploitability

The vulnerability exposes a high likelihood of exploitation via a straightforward HTTP request to the vulnerable endpoint, and the lack of authentication requirements makes it attractive to attackers. With a CVSS base score of 7.5 and no recorded presence in the CISA KEV catalog, the risk remains significant. An attacker could use the injected payload to read or modify database records, leading to data compromise and potential further compromise of the underlying WordPress installation.

Generated by OpenCVE AI on April 14, 2026 at 03:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update JetEngine to a version newer than 3.8.6.1 to apply the vendor fix.
  • Disable the Custom Content Types module or remove public REST GET endpoints until the plugin is updated.
  • Verify that no other plugins or custom code introduce similar unsanitized query construction.

Generated by OpenCVE AI on April 14, 2026 at 03:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 14 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Crocoblock
Crocoblock jetengine
Wordpress
Wordpress wordpress
Vendors & Products Crocoblock
Crocoblock jetengine
Wordpress
Wordpress wordpress

Tue, 14 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 02:00:00 +0000

Type Values Removed Values Added
Description The JetEngine plugin for WordPress is vulnerable to SQL Injection via the Custom Content Type (CCT) REST API search endpoint in all versions up to, and including, 3.8.6.1. This is due to the `_cct_search` parameter being interpolated directly into a SQL query string via `sprintf()` without sanitization or use of `$wpdb->prepare()`. WordPress REST API's `wp_unslash()` call on `$_GET` strips the `wp_magic_quotes()` protection, allowing single-quote-based injection. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. The Custom Content Types module must be enabled with at least one CCT configured with a public REST GET endpoint for exploitation.
Title JetEngine <= 3.8.6.1 - Unauthenticated SQL Injection via '_cct_search' Parameter
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Crocoblock Jetengine
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-14T14:04:52.928Z

Reserved: 2026-03-17T17:46:14.666Z

Link: CVE-2026-4352

cve-icon Vulnrichment

Updated: 2026-04-14T14:04:12.361Z

cve-icon NVD

Status : Deferred

Published: 2026-04-14T02:16:05.613

Modified: 2026-04-22T20:23:16.350

Link: CVE-2026-4352

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:31:05Z

Weaknesses