Description
Unauthenticated SQL Injection in JetEngine <= 3.8.9.1 versions.
Published: 2026-06-17
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The JetEngine plugin for WordPress contains an unauthenticated SQL Injection flaw affecting versions up to and including 3.8.9.1. Attackers can inject arbitrary SQL statements into plugin queries, allowing them to read, modify, or delete data stored in the database. In cases where the database account has elevated privileges, the attacker may effectively gain full control of the application database. This vulnerability is classified under CWE-89, and its high severity (CVSS score 9.3) indicates that it could result in catastrophic data loss or compromise of the entire WordPress site.

Affected Systems

The affected product is Jetimpex Inc. – JetEngine plugin for WordPress. All installations running the plugin version 3.8.9.1 or earlier are vulnerable; newer releases are not impacted.

Risk and Exploitability

The CVSS score of 9.3 reflects a critical risk. No EPSS score is reported, so the exploitation probability is unknown. The vulnerability is not listed in CISA’s KEV catalog. Attacks can be carried out without authentication by sending crafted requests to the plugin’s endpoints, making it easy for remote attackers to exploit during normal web traffic.

Generated by OpenCVE AI on June 18, 2026 at 12:09 UTC.

Remediation

Vendor Solution

Update the WordPress JetEngine Plugin to the latest available version (at least 3.8.10).


OpenCVE Recommended Actions

  • Upgrade the JetEngine plugin to version 3.8.10 or later.
  • If the plugin is not required, remove or completely disable it from the WordPress installation.
  • Apply the principle of least privilege to database users used by WordPress; restrict them to the minimal permissions needed for normal operation.
  • Monitor web and database logs for anomalous SQL activity to detect potential exploitation attempts.

Generated by OpenCVE AI on June 18, 2026 at 12:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 21 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Jetimpex Inc.
Jetimpex Inc. jetengine
Wordpress
Wordpress wordpress
Vendors & Products Jetimpex Inc.
Jetimpex Inc. jetengine
Wordpress
Wordpress wordpress

Wed, 17 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
Description Unauthenticated SQL Injection in JetEngine <= 3.8.9.1 versions.
Title WordPress JetEngine plugin <= 3.8.9.1 - SQL Injection vulnerability
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L'}


Subscriptions

Jetimpex Inc. Jetengine
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T15:30:23.428Z

Reserved: 2026-05-27T10:27:01.186Z

Link: CVE-2026-49076

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T23:03:57Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')