Impact
The JetEngine plugin for WordPress contains an unauthenticated SQL Injection flaw affecting versions up to and including 3.8.9.1. Attackers can inject arbitrary SQL statements into plugin queries, allowing them to read, modify, or delete data stored in the database. In cases where the database account has elevated privileges, the attacker may effectively gain full control of the application database. This vulnerability is classified under CWE-89, and its high severity (CVSS score 9.3) indicates that it could result in catastrophic data loss or compromise of the entire WordPress site.
Affected Systems
The affected product is Jetimpex Inc. – JetEngine plugin for WordPress. All installations running the plugin version 3.8.9.1 or earlier are vulnerable; newer releases are not impacted.
Risk and Exploitability
The CVSS score of 9.3 reflects a critical risk. No EPSS score is reported, so the exploitation probability is unknown. The vulnerability is not listed in CISA’s KEV catalog. Attacks can be carried out without authentication by sending crafted requests to the plugin’s endpoints, making it easy for remote attackers to exploit during normal web traffic.
OpenCVE Enrichment