JetEngine Plugin SQLi Puts WordPress Sites at Risk

The National Vulnerability Database (NVD) recently highlighted a significant SQL injection vulnerability, CVE-2026-4352, affecting the JetEngine plugin for WordPress. This flaw impacts all versions up to and including 3.8.6.1, and it’s a nasty one because it allows unauthenticated attackers to potentially pilfer sensitive data directly from the database.

The core issue, as detailed by the NVD, lies within the Custom Content Type (CCT) REST API’s search endpoint. Specifically, the _cct_search parameter is being jammed directly into a SQL query string using sprintf() without any proper sanitization or the use of $wpdb->prepare(). To make matters worse, the WordPress REST API’s wp_unslash() call on $_GET effectively strips away the wp_magic_quotes() protection, leaving the door wide open for single-quote-based injection. This isn’t just a theoretical bug; it’s a full-blown exploit vector.

For exploitation, the Custom Content Types module needs to be enabled, and at least one CCT must be configured with a public REST GET endpoint. If those conditions are met, an attacker can append additional SQL queries to existing ones, turning a simple search into a data exfiltration exercise. With a CVSS score of 7.5 (HIGH), this isn’t something to shrug off. It’s a classic CWE-89 situation, reminding us that proper input sanitization and parameterized queries aren’t just best practices – they’re essential defenses.