{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4352", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-03-17T17:46:14.666Z", "datePublished": "2026-04-14T01:25:01.077Z", "dateUpdated": "2026-04-14T14:04:52.928Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-14T01:25:01.077Z"}, "affected": [{"vendor": "Crocoblock", "product": "JetEngine", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.8.6.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The JetEngine plugin for WordPress is vulnerable to SQL Injection via the Custom Content Type (CCT) REST API search endpoint in all versions up to, and including, 3.8.6.1. This is due to the `_cct_search` parameter being interpolated directly into a SQL query string via `sprintf()` without sanitization or use of `$wpdb->prepare()`. WordPress REST API's `wp_unslash()` call on `$_GET` strips the `wp_magic_quotes()` protection, allowing single-quote-based injection. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. The Custom Content Types module must be enabled with at least one CCT configured with a public REST GET endpoint for exploitation."}], "title": "JetEngine <= 3.8.6.1 - Unauthenticated SQL Injection via '_cct_search' Parameter", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/29a5701f-92f7-4a02-a990-b189a381cff5?source=cve"}, {"url": "https://crocoblock.com/plugins/jetengine/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "cweId": "CWE-89", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Ph\u00fa"}], "timeline": [{"time": "2026-03-17T18:06:00.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-04-13T12:57:24.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-4352", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-14T14:02:37.340843Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T14:04:52.928Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-4352", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-14T14:02:37.340843Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T14:04:12.361Z"}}], "cna": {"title": "JetEngine <= 3.8.6.1 - Unauthenticated SQL Injection via '_cct_search' Parameter", "credits": [{"lang": "en", "type": "finder", "value": "Ph\u00fa"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}}], "affected": [{"vendor": "Crocoblock", "product": "JetEngine", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "3.8.6.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-03-17T18:06:00.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-04-13T12:57:24.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/29a5701f-92f7-4a02-a990-b189a381cff5?source=cve"}, {"url": "https://crocoblock.com/plugins/jetengine/"}], "descriptions": [{"lang": "en", "value": "The JetEngine plugin for WordPress is vulnerable to SQL Injection via the Custom Content Type (CCT) REST API search endpoint in all versions up to, and including, 3.8.6.1. This is due to the `_cct_search` parameter being interpolated directly into a SQL query string via `sprintf()` without sanitization or use of `$wpdb->prepare()`. WordPress REST API's `wp_unslash()` call on `$_GET` strips the `wp_magic_quotes()` protection, allowing single-quote-based injection. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. The Custom Content Types module must be enabled with at least one CCT configured with a public REST GET endpoint for exploitation."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-14T01:25:01.077Z"}}}, "cveMetadata": {"cveId": "CVE-2026-4352", "state": "PUBLISHED", "dateUpdated": "2026-04-14T14:04:52.928Z", "dateReserved": "2026-03-17T17:46:14.666Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-04-14T01:25:01.077Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The JetEngine plugin for WordPress is vulnerable to SQL Injection via the Custom Content Type (CCT) REST API search endpoint in all versions up to, and including, 3.8.6.1. This is due to the `_cct_search` parameter being interpolated directly into a SQL query string via `sprintf()` without sanitization or use of `$wpdb->prepare()`. WordPress REST API's `wp_unslash()` call on `$_GET` strips the `wp_magic_quotes()` protection, allowing single-quote-based injection. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. The Custom Content Types module must be enabled with at least one CCT configured with a public REST GET endpoint for exploitation."}], "id": "CVE-2026-4352", "lastModified": "2026-04-22T20:23:16.350", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-14T02:16:05.613", "references": [{"source": "security@wordfence.com", "url": "https://crocoblock.com/plugins/jetengine/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/29a5701f-92f7-4a02-a990-b189a381cff5?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.8.6.1]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "JetEngine", "source": "cna", "vendor": "Crocoblock"}, "product": "jetengine", "vendor": "crocoblock"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-14T03:22:18.789389+00:00", "value": {"mitigation_remediation": ["Update JetEngine to a version newer than 3.8.6.1 to apply the vendor fix. ", "Disable the Custom Content Types module or remove public REST GET endpoints until the plugin is updated. ", "Verify that no other plugins or custom code introduce similar unsanitized query construction. "], "summary": {"action": "Patch Immediately", "impact": "SQL Injection leading to data exposure"}, "threat_synthesis": {"affected_systems": "The affected product is the Crocoblock JetEngine plugin for WordPress. All releases up to and including 3.8.6.1 are vulnerable. Exploitation requires that the Custom Content Types module be enabled and that at least one content type exposes a public REST GET endpoint. Users running these configurations are at risk.", "description_and_impact": "The JetEngine plugin for WordPress is susceptible to an unauthenticated SQL injection flaw in the Custom Content Type REST API search endpoint. The internal use of sprintf() to build a query string from the _cct_search parameter without sanitization or prepared statements allows an attacker to inject arbitrary SQL that is appended to the originating query. This can result in the unrestricted extraction of sensitive database content. The weakness is a classic input validation flaw, categorized as CWE-89. The CVSS score of 7.5 indicates a high severity impact for confidentiality and integrity.", "risk_and_exploitability": "The vulnerability exposes a high likelihood of exploitation via a straightforward HTTP request to the vulnerable endpoint, and the lack of authentication requirements makes it attractive to attackers. With a CVSS base score of 7.5 and no recorded presence in the CISA KEV catalog, the risk remains significant. An attacker could use the injected payload to read or modify database records, leading to data compromise and potential further compromise of the underlying WordPress installation."}}}}, "created": "2026-04-14T16:16:08.588806+00:00", "updated": "2026-04-14T16:31:05.266018+00:00", "vendors": ["crocoblock", "crocoblock$PRODUCT$jetengine", "wordpress", "wordpress$PRODUCT$wordpress"]}