Impact
The vulnerability is an unauthenticated SQL Injection that allows attackers to inject arbitrary SQL commands into the JetEngine plugin's database queries. This flaw, classified as CWE-89, can enable attackers to retrieve, modify, or delete sensitive data from the WordPress site's database, potentially leading to data exposure or corruption.
Affected Systems
Any WordPress site using JetEngine versions prior to 3.8.9.1 is affected. The plugin, provided by Jetimpex Inc., is widely used for dynamic content generation, and these vulnerable releases lack proper input sanitization and parameterized queries.
Risk and Exploitability
The CVSS score of 9.3 indicates critical severity. The EPSS score is not available, so the current exploitation rate is unknown, but the lack of a KEV listing does not mitigate the risk, as the flaw remains actively exploitable with web-based vectors. Attackers can trigger the injection by submitting crafted requests to the plugin's endpoints without authentication, making the vulnerability highly accessible.
OpenCVE Enrichment