Description
Unauthenticated SQL Injection in JetEngine <= 3.8.10.2 versions.
Published: 2026-06-26
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Crocoblock’s JetEngine plugin for WordPress contains an unauthenticated SQL injection flaw in versions up to 3.8.10.2. An attacker can embed malicious SQL through user‑supplied parameters, allowing arbitrary SELECT, UPDATE, DELETE, or INSERT statements against the database. This enables data theft, modification, or loss, and could ultimately facilitate privilege escalation or destruction of site data. The CWE‑89.

Affected Systems

WordPress websites that have the JetEngine plugin installed from Crocoblock or Jetimpex Inc., specifically any installation running version 3.8.10.2 or earlier. Users running a newer release such as 3.8.11 are not affected.

Risk and Exploitability

The CVSS v3.1 base score of 9.3 reflects a high severity exploit with no authentication required, affecting confidentiality and integrity. The EPSS score is not available, and the vulnerability is not currently listed in the CISA KEV catalog. Attackers likely exploit the issue by crafting a request that is processed by the plugin’s query interface, which is exposed to any visitor on the site. Because the vulnerability does not require privileged credentials, the risk is significant for any publicly accessible WordPress deployment that has not applied the patch.

Generated by OpenCVE AI on June 26, 2026 at 17:08 UTC.

Remediation

Vendor Solution

Update the WordPress JetEngine Plugin to the latest available version (at least 3.8.11).

OpenCVE Recommended Actions

  • Update the JetEngine plugin to version 3.8.11 or later.
  • If upgrading is not feasible, disable or uninstall the plugin to block unauthenticated access.
  • Restrict the plugin’s API endpoints to administrative users and enforce input validation to mitigate injection risk.

Generated by OpenCVE AI on June 26, 2026 at 17:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
Description Unauthenticated SQL Injection in JetEngine <= 3.8.10.2 versions.
Title WordPress JetEngine plugin <= 3.8.10.2 - SQL Injection vulnerability
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-26T14:52:52.646Z

Reserved: 2026-06-18T14:38:18.949Z

Link: CVE-2026-56068

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T17:15:04Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')