Impact
Unauthenticated SQL Injection exists in JetEngine plugin versions 3.8.10.1 and earlier, allowing attackers to inject malicious SQL through unsanitized input. The flaw is a classic input validation weakness (CWE-89) that can be leveraged to read, modify, or delete database contents. In a compromised site, an attacker could exfiltrate sensitive data, alter application configuration, or pivot to higher privilege levels within the backend.
Affected Systems
The vulnerability affects Jetimpex Inc.’s JetEngine WordPress plugin version 3.8.10.1 and earlier. No additional product or version data is listed beyond these releases. Sites deploying an affected JetEngine plugin are at risk until the plugin is upgraded.
Risk and Exploitability
With a CVSS score of 9.3 the vulnerability is rated critical. The EPSS score is not available, so the current public exploitation probability is uncertain, but the flaw is unauthenticated and openly documented, implying a realistic attack surface. The issue is not catalogued in CISA’s KEV list. Attackers are likely to exploit the flaw by sending crafted HTTP requests to the plugin’s endpoints without needing authentication.
OpenCVE Enrichment