EUVD-2026-37621Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Unauthenticated network-reachable SQLi in a WordPress plugin endpoint; read-only injection path per reporter justifies I:N while cross-boundary DB access supports S:C and C:H.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Lifecycle Timeline
2DescriptionCVE.org
Unauthenticated SQL Injection in JetEngine < 3.8.9.1 versions.
AnalysisAI
Unauthenticated SQL injection in the JetEngine WordPress plugin versions prior to 3.8.9.1 allows remote attackers to inject malicious SQL into backend database queries without any authentication or user interaction. The flaw carries a CVSS 3.1 score of 9.3 with a changed scope, enabling data disclosure across the WordPress installation and partial impact on availability. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The target WordPress site must have the JetEngine plugin installed and active at a version below 3.8.9.1, with the vulnerable endpoint reachable over the network - typical for any public WordPress site running this plugin. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The signals are largely consistent and point to a genuine high-priority vulnerability: CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N indicates remote, low-complexity, unauthenticated, no-user-interaction exploitation, and S:C/C:H reflects high confidentiality impact extending beyond the plugin's own boundary. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A remote unauthenticated attacker sends a crafted HTTP request to a public WordPress endpoint exposed by the JetEngine plugin, embedding malicious SQL payload in a vulnerable parameter that flows into a database query. The injection extracts sensitive data from the WordPress database such as administrator password hashes from wp_users or secret tokens from wp_options, which the attacker then uses for offline cracking or session forgery to escalate to full site compromise. … |
| Remediation | Vendor-released patch: upgrade JetEngine to version 3.8.9.1 or later immediately via the WordPress plugin administration screen or by downloading the fixed release from Crocoblock; the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/jet-engine/vulnerability/wordpress-jetengine-plugin-3-8-9-1-sql-injection-vulnerability is the authoritative reference. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
WITHIN 24 HOURS: Inventory all WordPress installations using JetEngine; identify affected versions (prior to 3.8.9.1); document data sensitivity and exposure scope. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
PHP Object Injection in the JetEngine WordPress plugin (versions through 3.8.9.1) allows authenticated users with the Co
Unauthenticated PHP Object Injection in Crocoblock JetEngine WordPress plugin versions 3.8.10 and earlier allows remote
Unauthenticated SQL injection in the JetEngine WordPress plugin (versions up to and including 3.8.9.1) allows remote att
Unauthenticated SQL injection in the JetEngine WordPress plugin versions 3.8.10.1 and earlier allows remote attackers to
Unauthenticated SQL injection in the JetEngine WordPress plugin versions up to 3.8.10.1 allows remote attackers to extra
Share
External POC / Exploit Code
Leaving vuln.today