CVE-2026-42774

Vulnerability

An improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability exists in Crocoblock JetEngine, a WordPress plugin. The vulnerability affects all versions from n/a through 3.8.8.1. The flaw allows an attacker to inject arbitrary SQL queries via unsanitized user input, as described in the Patchstack advisory [1].

Exploitation

An attacker can exploit this vulnerability remotely without requiring authentication. The attack vector is network-based with low attack complexity. By crafting a malicious HTTP request containing SQL injection payloads, the attacker can inject SQL commands that are executed against the database. No user interaction is needed for exploitation, making this vulnerability suitable for mass exploitation campaigns [1].

Impact

Successful exploitation allows a malicious actor to directly interact with the website's database. The attacker can read, modify, or delete sensitive data, potentially leading to complete site compromise. This could result in theft of user credentials, private information, and other critical data stored in the WordPress database [1].

Mitigation

The vulnerability is fixed in version 3.8.8.2. Users should update to this version or later immediately. Patchstack has issued a mitigation rule that blocks attacks until the plugin is updated. For those unable to update immediately, contacting a hosting provider or web developer is advised. Auto-update for vulnerable plugins can be enabled by Patchstack users [1].