CVE-2026-4352
Description
The JetEngine plugin for WordPress is vulnerable to SQL Injection via the Custom Content Type (CCT) REST API search endpoint in all versions up to, and including, 3.8.6.1. This is due to the _cct_search parameter being interpolated directly into a SQL query string via sprintf() without sanitization or use of $wpdb->prepare(). WordPress REST API's wp_unslash() call on $_GET strips the wp_magic_quotes() protection, allowing single-quote-based injection. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. The Custom Content Types module must be enabled with at least one CCT configured with a public REST GET endpoint for exploitation.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
JetEngine plugin <=3.8.6.1 has unauthenticated SQL injection via CCT REST API search parameter, allowing database data extraction.
The JetEngine plugin for WordPress, in all versions up to and including 3.8.6.1, is vulnerable to SQL injection through the Custom Content Type (CCT) REST API search endpoint. The _cct_search parameter is directly interpolated into a SQL query using sprintf() without sanitization or parameterized queries. Additionally, WordPress REST API's wp_unslash() call on $_GET strips the wp_magic_quotes() protection, permitting single-quote-based injection [1].
Exploitation requires the Custom Content Types module to be enabled and at least one CCT configured with a public REST GET endpoint. An unauthenticated attacker can craft a malicious HTTP request to the vulnerable endpoint, appending arbitrary SQL queries to the existing query [1].
Successful exploitation allows an attacker to extract sensitive information from the database, such as user credentials or other confidential data, potentially leading to full site compromise [1].
The vendor recommends updating JetEngine to the latest patched version to remediate this vulnerability. No workarounds are currently available for users unable to update immediately [1].
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2News mentions
3- Wordfence Intelligence Weekly WordPress Vulnerability Report (April 27, 2026 to May 3, 2026)Wordfence Blog · May 7, 2026
- Wordfence Intelligence Weekly WordPress Vulnerability Report (April 13, 2026 to April 19, 2026)Wordfence Blog · Apr 23, 2026
- Wordfence Intelligence Weekly WordPress Vulnerability Report (March 23, 2026 to March 29, 2026)Wordfence Blog · Apr 2, 2026