What the vulnerability does
01Description
The JetEngine plugin for WordPress is vulnerable to SQL Injection via the Custom Content Type (CCT) REST API search endpoint in all versions up to, and including, 3.8.6.1. This is due to the `_cct_search` parameter being interpolated directly into a SQL query string via `sprintf()` without sanitization or use of `$wpdb->prepare()`. WordPress REST API's `wp_unslash()` call on `$_GET` strips the `wp_magic_quotes()` protection, allowing single-quote-based injection. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. The Custom Content Types module must be enabled with at least one CCT configured with a public REST GET endpoint for exploitation.
Explanation of Vulnerability in Simple Terms
02Summary
JetEngine versions up to 3.8.6.1 contain a SQL injection vulnerability that allows unauthenticated attackers to read sensitive data from the site's database. The vulnerability requires only network access and no user interaction. An attacker can craft malicious requests to extract information such as user credentials, configuration data, or other stored records.
What an attacker can do
03Attacker Capabilities
Read sensitive data from the site database without authentication.
Potential impact on your site
04Site Impact
Attackers can extract user credentials, configuration secrets, and other sensitive database records from your site.
Conditions required to exploit
05Prerequisites
Network access only; no authentication or user interaction required.
Key dates
06Disclosure timeline
April 14, 2026
CVE published
April 14, 2026
Record updated
