Description
Unauthenticated SQL Injection in JetEngine <= 3.8.10.2 versions.
Published: 2026-06-26
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Crocoblock’s JetEngine plugin for WordPress contains an unauthenticated SQL injection flaw in versions up to 3.8.10.2. An attacker can embed malicious SQL through user‑supplied parameters, allowing arbitrary SELECT, UPDATE, DELETE, or INSERT statements against the database. This enables data theft, modification, or loss, and could ultimately facilitate privilege escalation or destruction of site data. The CWE‑89.

Affected Systems

WordPress websites that have the JetEngine plugin installed from Crocoblock or Jetimpex Inc., specifically any installation running version 3.8.10.2 or earlier. Users running a newer release such as 3.8.11 are not affected.

Risk and Exploitability

The CVSS v3.1 base score of 9.3 reflects a high severity exploit with no authentication required, affecting confidentiality and integrity. The EPSS score is not available, and the vulnerability is not currently listed in the CISA KEV catalog. Attackers likely exploit the issue by crafting a request that is processed by the plugin’s query interface, which is exposed to any visitor on the site. Because the vulnerability does not require privileged credentials, the risk is significant for any publicly accessible WordPress deployment that has not applied the patch.

Generated by OpenCVE AI on June 26, 2026 at 17:08 UTC.

Remediation

Vendor Solution

Update the WordPress JetEngine Plugin to the latest available version (at least 3.8.11).


OpenCVE Recommended Actions

  • Update the JetEngine plugin to version 3.8.11 or later.
  • If upgrading is not feasible, disable or uninstall the plugin to block unauthenticated access.
  • Restrict the plugin’s API endpoints to administrative users and enforce input validation to mitigate injection risk.

Generated by OpenCVE AI on June 26, 2026 at 17:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 29 Jun 2026 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Crocoblock
Crocoblock jetengine
Wordpress
Wordpress wordpress
Vendors & Products Crocoblock
Crocoblock jetengine
Wordpress
Wordpress wordpress

Mon, 29 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Fri, 26 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
Description Unauthenticated SQL Injection in JetEngine <= 3.8.10.2 versions.
Title WordPress JetEngine plugin <= 3.8.10.2 - SQL Injection vulnerability
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L'}


Subscriptions

Crocoblock Jetengine
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-29T14:48:13.999Z

Reserved: 2026-06-18T14:38:18.949Z

Link: CVE-2026-56068

cve-icon Vulnrichment

Updated: 2026-06-29T14:47:49.629Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-29T19:45:02Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')