Skip to main content

Crocoblock JetEngine CVE-2026-42774

| EUVD-2026-31751 CRITICAL
SQL Injection (CWE-89)
2026-05-25 Patchstack GHSA-g8m9-vcxf-8fwg
SQLi Jetengine
9.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.3 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 08, 2026 - 08:29 vuln.today

DescriptionCVE.org

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Crocoblock JetEngine allows SQL Injection.

This issue affects JetEngine: from n/a through 3.8.8.1.

AnalysisAI

SQL injection in Crocoblock JetEngine (a WordPress plugin) through version 3.8.8.1 allows remote unauthenticated attackers to inject crafted SQL into backend queries, leading to high-impact confidentiality disclosure and limited availability impact with a scope change to other components. The flaw carries a CVSS 9.3 rating and was disclosed by Patchstack, but there is no public exploit identified at time of analysis and EPSS is very low at 0.03%.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Fingerprint WordPress site running JetEngine ≤3.8.8.1
Delivery
Send crafted HTTP request to vulnerable JetEngine endpoint
Exploit
Inject SQL payload into unsanitized parameter
Execution
Execute UNION/error-based query against WordPress DB
Persist
Exfiltrate wp_users hashes and wp_options secrets
Impact
Crack hashes offline and authenticate as admin
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires only that a target WordPress site has the Crocoblock JetEngine plugin installed and activated at version ≤3.8.8.1 and that the vulnerable endpoint (REST route or admin-ajax action exposed by JetEngine) is reachable over the network - per CVSS AV:N/AC:L/PR:N/UI:N no authentication, no user interaction, and no non-default configuration are required. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mixed and should be weighed carefully. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An opportunistic attacker scans the internet for WordPress sites running JetEngine ≤3.8.8.1 (fingerprintable via /wp-content/plugins/jet-engine/ assets), then sends a crafted HTTP request to a vulnerable JetEngine endpoint containing SQL payloads in a parameter that is concatenated into a backend query. Because the issue is unauthenticated and network-reachable with low complexity and SSVC marks it Automatable=yes, the attacker can use a UNION-based or error-based payload to exfiltrate wp_users password hashes and secret keys from wp_options, then crack hashes offline or pivot to admin takeover; no public PoC has been identified at this time, but the SQLi tag and CVSS profile make weaponization straightforward once a researcher publishes the injection point.
Remediation No vendor-released patch identified at time of analysis from the provided data - the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/jet-engine/vulnerability/wordpress-jetengine-plugin-3-8-8-1-sql-injection-vulnerability lists 3.8.8.1 as the last known-vulnerable version, so administrators should monitor that advisory and the Crocoblock changelog for a release above 3.8.8.1 and upgrade as soon as it is published. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Identify all WordPress installations running Crocoblock JetEngine ≤3.8.8.1; assess data sensitivity of affected systems and prioritize by exposure. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-49075 CRITICAL
9.8 Jun 17

PHP Object Injection in the JetEngine WordPress plugin (versions through 3.8.9.1) allows authenticated users with the Co
CVE-2026-52706 CRITICAL
9.8 Jun 17

Unauthenticated PHP Object Injection in Crocoblock JetEngine WordPress plugin versions 3.8.10 and earlier allows remote

CVE-2026-49076 CRITICAL
9.3 Jun 17

Unauthenticated SQL injection in the JetEngine WordPress plugin (versions up to and including 3.8.9.1) allows remote att
CVE-2026-49084 CRITICAL
9.3 Jun 17

Unauthenticated SQL injection in the JetEngine WordPress plugin versions prior to 3.8.9.1 allows remote attackers to inj
CVE-2026-54187 CRITICAL
9.3 Jun 17

Unauthenticated SQL injection in the JetEngine WordPress plugin versions 3.8.10.1 and earlier allows remote attackers to

Share

CVE-2026-42774 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy