Skip to main content

JetSearch EUVDEUVD-2026-37619

| CVE-2026-49079 CRITICAL
SQL Injection (CWE-89)
2026-06-17 Patchstack
9.3
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
9.3 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
vuln.today AI
9.3 CRITICAL

Unauthenticated network-reachable SQLi (AV:N/AC:L/PR:N/UI:N); scope changes to DB (S:C); high data disclosure (C:H), low integrity from possible query manipulation, no availability impact.

3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:L/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 17, 2026 - 12:05 vuln.today

DescriptionCVE.org

Unauthenticated SQL Injection in JetSearch <= 3.5.17 versions.

AnalysisAI

Unauthenticated SQL injection in the JetSearch WordPress plugin (versions <= 3.5.17) allows remote attackers to inject arbitrary SQL into backend database queries without any authentication or user interaction. The flaw carries a CVSS 9.3 (Critical) score with a scope change, meaning impact extends beyond the plugin to the underlying WordPress database. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify WordPress site running JetSearch ≤ 3.5.17
Delivery
Craft SQL injection payload for search endpoint
Exploit
Send unauthenticated HTTP request to vulnerable parameter
Execution
Database executes injected query
Impact
Exfiltrate user hashes and site secrets

Vulnerability AssessmentAI

Exploitation No special conditions - remote unauthenticated exploitation against default configurations of any WordPress site with the JetSearch plugin (version 3.5.17 or earlier) installed and active. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment All available signals point to elevated real-world risk: CVSS 9.3 with AV:N/AC:L/PR:N/UI:N means trivially exploitable over the network with no prerequisites, and the scope change (S:C) plus high confidentiality impact (C:H) reflect database-wide data exposure. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated remote attacker sends a crafted HTTP request to the JetSearch AJAX or REST endpoint on a vulnerable WordPress site, embedding a UNION-based or boolean-blind SQL injection payload in a search parameter. The injected query executes against the WordPress database, allowing the attacker to extract sensitive data such as user password hashes from wp_users, secret keys from wp_options, or any custom table data - all without authentication, user interaction, or social engineering.
Remediation Upstream fix available per Patchstack advisory; released patched version not independently confirmed from the supplied data - administrators should upgrade JetSearch to the latest available version greater than 3.5.17 as published by Jetimpex/Crocoblock and verify via the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/jet-search/vulnerability/wordpress-jetsearch-plugin-3-5-17-sql-injection-vulnerability. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Disable and deactivate the JetSearch plugin on all WordPress instances running version 3.5.17 or earlier; document current deployed versions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-37619 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy