Skip to main content

JetEngine CVE-2026-49076

| EUVD-2026-37618 CRITICAL
SQL Injection (CWE-89)
2026-06-17 Patchstack
SQLi Jetengine
9.3
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
9.3 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
vuln.today AI
9.3 CRITICAL

Unauthenticated network SQLi against a WordPress plugin justifies AV:N/AC:L/PR:N/UI:N and S:C (DB beyond plugin scope); C:H for full DB read, I:L because hash exfiltration plausibly enables limited integrity impact.

3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 17, 2026 - 12:05 vuln.today

DescriptionCVE.org

Unauthenticated SQL Injection in JetEngine <= 3.8.9.1 versions.

AnalysisAI

Unauthenticated SQL injection in the JetEngine WordPress plugin (versions up to and including 3.8.9.1) allows remote attackers without credentials to inject arbitrary SQL through plugin-handled inputs. With a CVSS 3.1 score of 9.3 (scope-changed) and no authentication or user interaction required, the flaw is well-suited for opportunistic, mass exploitation of WordPress sites that use this popular Crocoblock plugin. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Scan internet for WordPress sites with JetEngine
Delivery
Fingerprint plugin version <= 3.8.9.1
Exploit
Send crafted request with SQLi payload to vulnerable endpoint
Install
Inject UNION/blind SELECT against wp_users and wp_options
C2
Extract password hashes and auth secrets
Execute
Crack hashes or replay session data
Impact
Authenticate as administrator and take over site
Sign in to reveal

Vulnerability AssessmentAI

Exploitation The vulnerable JetEngine plugin (version <= 3.8.9.1) must be installed and active on a network-reachable WordPress site; no authentication, user interaction, special configuration, or non-default deployment mode is required because the CVSS vector is AV:N/AC:L/PR:N/UI:N. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Real-world risk is high. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker scanning the internet for WordPress sites identifies one running JetEngine 3.8.9.1 or earlier, then issues a crafted HTTP request to a vulnerable plugin endpoint (e.g., a listing/AJAX/REST handler) with a malicious parameter containing UNION-based or boolean-blind SQL. Because no authentication or user interaction is required (PR:N/UI:N) and complexity is low, the request executes against the WordPress database and returns sensitive content - administrator password hashes from wp_users, auth secrets, API keys stored in wp_options - which the attacker then cracks or replays to escalate to site takeover. …
Remediation Upstream fix available per Patchstack advisory; released patched version not independently confirmed in the provided data - administrators should consult https://patchstack.com/database/wordpress/plugin/jet-engine/vulnerability/wordpress-jetengine-plugin-3-8-9-1-sql-injection-vulnerability-2 and the Crocoblock changelog to identify the exact fixed JetEngine release (any version > 3.8.9.1) and upgrade via the WordPress plugins screen or WP-CLI. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

24 hours: Inventory all WordPress instances running JetEngine ≤3.8.9.1; disable the plugin immediately on all affected sites. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-49075 CRITICAL
9.8 Jun 17

PHP Object Injection in the JetEngine WordPress plugin (versions through 3.8.9.1) allows authenticated users with the Co
CVE-2026-52706 CRITICAL
9.8 Jun 17

Unauthenticated PHP Object Injection in Crocoblock JetEngine WordPress plugin versions 3.8.10 and earlier allows remote

CVE-2026-49084 CRITICAL
9.3 Jun 17

Unauthenticated SQL injection in the JetEngine WordPress plugin versions prior to 3.8.9.1 allows remote attackers to inj
CVE-2026-54187 CRITICAL
9.3 Jun 17

Unauthenticated SQL injection in the JetEngine WordPress plugin versions 3.8.10.1 and earlier allows remote attackers to
CVE-2026-12360 HIGH
7.5 Jun 17

Unauthenticated SQL injection in the JetEngine WordPress plugin versions up to 3.8.10.1 allows remote attackers to extra

Share

CVE-2026-49076 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy