Impact
Unauthenticated SQL injection exists in JetSearch plugin versions up to 3.5.17, allowing an attacker to craft malicious input that is executed as part of database queries. This flaw can lead to reading, modification, or deletion of any data stored in the WordPress database and can potentially enable privilege escalation or further compromise of the server.
Affected Systems
Jetimpex Inc. JetSearch plugin for WordPress, versions 3.5.17 and earlier.
Risk and Exploitability
The CVSS score of 9.3 indicates critical severity. No EPSS data is available, so exploitation probability is uncertain, and the vulnerability is not currently listed in CISA KEV. Attacks would typically be carried out by sending specially crafted HTTP requests to the plugin’s input points from any internet-facing WordPress installation that has not yet applied the patch.
OpenCVE Enrichment