CVE-2026-4352
Received Received - Intake
SQL Injection in JetEngine WordPress Plugin Exposes Data

Publication date: 2026-04-14

Last updated on: 2026-04-14

Assigner: Wordfence

Description
The JetEngine plugin for WordPress is vulnerable to SQL Injection via the Custom Content Type (CCT) REST API search endpoint in all versions up to, and including, 3.8.6.1. This is due to the `_cct_search` parameter being interpolated directly into a SQL query string via `sprintf()` without sanitization or use of `$wpdb->prepare()`. WordPress REST API's `wp_unslash()` call on `$_GET` strips the `wp_magic_quotes()` protection, allowing single-quote-based injection. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. The Custom Content Types module must be enabled with at least one CCT configured with a public REST GET endpoint for exploitation.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-14
Last Modified
2026-04-14
Generated
2026-06-16
AI Q&A
2026-04-14
EPSS Evaluated
2026-06-15
NVD
CVE-2026-4352
EUVD
EUVD-2026-22195
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
crocoblock jetengine to 3.8.6.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The JetEngine plugin for WordPress has a vulnerability in its Custom Content Type (CCT) REST API search endpoint in all versions up to and including 3.8.6.1. This vulnerability is a SQL Injection caused by the `_cct_search` parameter being directly inserted into a SQL query string using `sprintf()` without proper sanitization or the use of `$wpdb->prepare()`. Additionally, the WordPress REST API's `wp_unslash()` function removes the protection normally provided by `wp_magic_quotes()`, allowing attackers to inject single quotes and manipulate the SQL query.

Because of this, unauthenticated attackers can append additional SQL queries to existing ones, potentially extracting sensitive information from the database. For this vulnerability to be exploitable, the Custom Content Types module must be enabled with at least one CCT configured with a public REST GET endpoint.

Impact Analysis

This vulnerability allows unauthenticated attackers to perform SQL Injection attacks on the WordPress site's database via the JetEngine plugin's REST API. This can lead to unauthorized extraction of sensitive information stored in the database.

  • Attackers can retrieve sensitive data without authentication.
  • The integrity of the database is not directly affected (no data modification), but confidentiality is compromised.
  • The vulnerability has a CVSS v3.1 base score of 7.5, indicating a high severity with network attack vector, low attack complexity, no privileges required, and no user interaction needed.
Detection Guidance

This vulnerability involves SQL Injection via the Custom Content Type (CCT) REST API search endpoint in the JetEngine WordPress plugin. Detection can focus on monitoring HTTP requests to the REST API endpoints related to CCT, especially those containing the _cct_search parameter.

You can detect potential exploitation attempts by inspecting web server logs or using network monitoring tools to look for suspicious GET requests with SQL injection patterns in the _cct_search parameter.

Example commands to detect such attempts might include:

  • Using grep on web server logs to find suspicious _cct_search parameters: grep '_cct_search=.*\'' /var/log/apache2/access.log
  • Using curl to test the endpoint manually: curl -v 'https://yourwordpresssite.com/wp-json/cct/v1/search?_cct_search=1' (replace with payloads containing single quotes or SQL syntax to check for injection)
  • Using intrusion detection systems (IDS) or web application firewalls (WAF) to alert on SQL injection patterns targeting the REST API endpoints.
Mitigation Strategies

Immediate mitigation steps include:

  • Update the JetEngine plugin to a version later than 3.8.6.1 where this vulnerability is fixed.
  • If updating is not immediately possible, disable the Custom Content Types module or any public REST GET endpoints related to CCT to prevent exploitation.
  • Implement web application firewall (WAF) rules to block or monitor suspicious requests containing SQL injection patterns targeting the _cct_search parameter.
  • Restrict access to the REST API endpoints if possible, limiting exposure to unauthenticated users.
Compliance Impact

The vulnerability allows unauthenticated attackers to perform SQL Injection attacks that can extract sensitive information from the database.

Exposure of sensitive data through such an attack could lead to non-compliance with data protection regulations such as GDPR and HIPAA, which require safeguarding personal and sensitive information.

Therefore, exploitation of this vulnerability may result in violations of these common standards and regulations due to unauthorized data disclosure.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-4352. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart