CVE-2026-4352

Name of the Vulnerable Software and Affected Versions JetEngine versions prior to 3.8.6.2

Description The JetEngine plugin for WordPress contains a SQL Injection flaw via the Custom Content Type (CCT) REST API search endpoint. The issue occurs because the cct search parameter is interpolated directly into a SQL query string using sprintf() without proper sanitization or the use of $wpdb->prepare(). Additionally, the wp unslash() function in the WordPress REST API removes wp magic quotes() protection, enabling single-quote-based injection. Unauthenticated attackers can exploit this to append malicious SQL queries and extract sensitive information from the database. Exploitation requires the Custom Content Types module to be enabled with at least one CCT configured with a public REST GET endpoint.

Recommendations Update to a version newer than 3.8.6.1. As a temporary workaround, disable the Custom Content Types module or restrict access to the public REST GET endpoints until the update is applied.