EUVD-2026-37632Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Unauthenticated network SQLi (AV:N/AC:L/PR:N/UI:N) reaching the WordPress DB beyond plugin scope (S:C) yields C:H; some write capability typical of SQLi gives I:L, A:N.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated SQL Injection in JetEngine <= 3.8.10.1 versions.
AnalysisAI
Unauthenticated SQL injection in the JetEngine WordPress plugin versions 3.8.10.1 and earlier allows remote attackers to inject arbitrary SQL into backend database queries without credentials or user interaction. The CVSS 3.1 score of 9.3 (Critical) reflects a scope change with high confidentiality and low availability impact, indicating attacker-controlled queries can reach data beyond the plugin's own context. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | No special conditions - remote unauthenticated exploitation against default configurations of WordPress sites running the JetEngine plugin at version 3.8.10.1 or below, per CVSS AV:N/AC:L/PR:N/UI:N. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS vector AV:N/AC:L/PR:N/UI:N is the worst-case combination - internet-reachable, low complexity, no privileges, no user interaction - and the Scope:Changed flag (S:C) indicates the impact crosses a security boundary, which is consistent with a SQLi that can read across the entire WordPress database (users, options, secrets) beyond the plugin's own data. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker on the internet sends a crafted HTTP request to a JetEngine endpoint (likely a REST/AJAX handler exposing a query, filter, or listing parameter), embedding SQL syntax that escapes the intended query context. The injected statement executes against the WordPress database, allowing the attacker to extract password hashes from wp_users, authentication keys from wp_options, or other sensitive site data, which can then be cracked offline or replayed for administrative takeover. … |
| Remediation | Upgrade JetEngine to a version higher than 3.8.10.1 as soon as the vendor publishes a fixed build; consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/jet-engine/vulnerability/wordpress-jetengine-plugin-3-8-10-1-sql-injection-vulnerability and the Crocoblock changelog for the exact patched version number. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Conduct inventory of all WordPress installations to identify JetEngine usage; immediately disable JetEngine plugin if version 3.8.10.1 or earlier is present. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
PHP Object Injection in the JetEngine WordPress plugin (versions through 3.8.9.1) allows authenticated users with the Co
Unauthenticated PHP Object Injection in Crocoblock JetEngine WordPress plugin versions 3.8.10 and earlier allows remote
Unauthenticated SQL injection in the JetEngine WordPress plugin (versions up to and including 3.8.9.1) allows remote att
Unauthenticated SQL injection in the JetEngine WordPress plugin versions prior to 3.8.9.1 allows remote attackers to inj
Unauthenticated SQL injection in the JetEngine WordPress plugin versions up to 3.8.10.1 allows remote attackers to extra
Share
External POC / Exploit Code
Leaving vuln.today