Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.5
JetEngine plugin for WordPress allows attackers to steal database info
CVE-2026-4352
Summary
The JetEngine plugin for WordPress has a security flaw that lets attackers steal sensitive information from the database. If you have this plugin installed, make sure it's updated to the latest version to protect your data. If you can't update, consider disabling the Custom Content Types module to prevent exploitation.
Original title
The JetEngine plugin for WordPress is vulnerable to SQL Injection via the Custom Content Type (CCT) REST API search endpoint in all versions up to, and including, 3.8.6.1. This is due to the `_cct_...
Original description
The JetEngine plugin for WordPress is vulnerable to SQL Injection via the Custom Content Type (CCT) REST API search endpoint in all versions up to, and including, 3.8.6.1. This is due to the `_cct_search` parameter being interpolated directly into a SQL query string via `sprintf()` without sanitization or use of `$wpdb->prepare()`. WordPress REST API's `wp_unslash()` call on `$_GET` strips the `wp_magic_quotes()` protection, allowing single-quote-based injection. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. The Custom Content Types module must be enabled with at least one CCT configured with a public REST GET endpoint for exploitation.
nvd CVSS3.1
7.5
Vulnerability type
CWE-89
SQL Injection
Published: 14 Apr 2026 · Updated: 14 Apr 2026 · First seen: 14 Apr 2026