What the vulnerability does
01Description
Unauthenticated SQL Injection in JetEngine <= 3.8.10.2 versions.
CVE-2026-56068
CRITICAL
CVE-2026-56068: WordPress JetEngine plugin <= 3.8.10.2 - SQL Injection vulnerability
CVSS base score
9.3/10
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Explanation of Vulnerability in Simple Terms
02Summary
JetEngine contains a SQL injection vulnerability that allows unauthenticated attackers to read sensitive database information and cause service disruptions. The vulnerability requires no user interaction and can be exploited over the network. An attacker can extract data from the site's database or degrade performance by crafting malicious queries.
What an attacker can do
03Attacker Capabilities
Read sensitive data from the site's database and cause service disruptions without authentication.
Potential impact on your site
04Site Impact
Attackers can steal database contents (user data, posts, settings) and potentially disrupt site availability.
Conditions required to exploit
05Prerequisites
Network access only; no authentication or user interaction required.
Key dates
06Disclosure timeline
June 26, 2026
CVE published
June 29, 2026
Record updated
External resources
07References
Related vulnerabilities
08Related CVE
CVE-2026-48231 Open ISES Tickets < 3.44.2 SQL Injection via tables.php Multiple Parameters
CVE-2022-0948 Order Listener for WooCommerce < 3.2.2 - Unauthenticated SQLi
CVE-2025-4156 PHPGurukul Boat Booking System change-image.php sql injection
CVE-2021-26609 WordPress Mangboard SQL-Injection vulnerability
CVE-2025-3383 SourceCodester Web-based Pharmacy Product Management System search_sales.php sql injection
