← back to popular plugins
wordfence / plugin · jet-engine

JetEngine

jet-engine
total installs
0
total vulns
15
critical
0
high
7
medium
8
low
0
latest vuln
patched
15
unpatched
0
avg time to patch
vulnerabilities (15)
JetEngine <= 3.8.8.1 - Unauthenticated SQL Injection
high ✓ patched
cve id CVE-2026-42774 ↗
cvss score 7.5
cwe CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
published Apr 30, 2026
The JetEngine plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 3.8.8.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
JetEngine <= 3.8.6.1 - Unauthenticated SQL Injection via '_cct_search' Parameter
high ✓ patched
cve id CVE-2026-4352 ↗
cvss score 7.5
cwe CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
published Apr 13, 2026
The JetEngine plugin for WordPress is vulnerable to SQL Injection via the Custom Content Type (CCT) REST API search endpoint in all versions up to, and including, 3.8.6.1. This is due to the `_cct_search` parameter being interpolated directly into a SQL query string via `sprintf()` without sanitization or use of `$wpdb->prepare()`. WordPress REST API's `wp_unslash()` call on `$_GET` strips the `wp_magic_quotes()` protection, allowing single-quote-based injection. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. The Custom Content Types module must be enabled with at least one CCT configured with a public REST GET endpoint for exploitation.
JetEngine <= 3.8.6.1 - Unauthenticated SQL Injection via Listing Grid 'filtered_query' Parameter
high ✓ patched
cve id CVE-2026-4662 ↗
cvss score 7.5
cwe CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
published Mar 23, 2026
The JetEngine plugin for WordPress is vulnerable to SQL Injection via the `listing_load_more` AJAX action in all versions up to, and including, 3.8.6.1. This is due to the `filtered_query` parameter being excluded from the HMAC signature validation (allowing attacker-controlled input to bypass security checks) combined with the `prepare_where_clause()` method in the SQL Query Builder not sanitizing the `compare` operator before concatenating it into SQL statements. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database, provided the site has a JetEngine Listing Grid with Load More enabled that uses a SQL Query Builder query.
JetEngine <= 3.7.2 - Authenticated (Contributor+) Remote Code Execution
high ✓ patched
cve id CVE-2026-28134 ↗
cvss score 8.8
cwe CWE-94: Improper Control of Generation of Code ('Code Injection')
published Feb 26, 2026
The JetEngine plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 3.7.2. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server.
JetEngine < 3.8.4.1 - Authenticated (Contributor+) PHP Object Injection
high ✓ patched
cve id CVE-2026-32355 ↗
cvss score 7.5
cwe CWE-502: Deserialization of Untrusted Data
published Feb 14, 2026
The JetEngine plugin for WordPress is vulnerable to PHP Object Injection in all versions up to 3.8.4.1 (exclusive) via deserialization of untrusted input. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present.
JetEngine <= 3.8.0 - Reflected Cross-Site Scripting
medium ✓ patched
cve id CVE-2025-68495 ↗
cvss score 6.1
cwe CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
published Feb 11, 2026
The JetEngine plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 3.8.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
JetEngine <= 3.7.7 - Unauthenticated Stored Cross-Site Scripting
high ✓ patched
cve id CVE-2025-67923 ↗
cvss score 7.2
cwe CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
published Jan 5, 2026
The JetEngine plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 3.7.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
JetEngine <= 3.8.1.1 - Missing Authorization
medium ✓ patched
cve id CVE-2025-69333 ↗
cvss score 4.3
cwe CWE-862: Missing Authorization
published Dec 30, 2025
The JetEngine plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 3.8.1.1. This makes it possible for authenticated attackers, with Contributor-level access and above, to perform an unauthorized action.
JetEngine <= 3.7.3 - Authenticated (Contributor+) Stored Cross-Site Scripting
medium ✓ patched
cve id CVE-2025-49938 ↗
cvss score 6.4
cwe CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
published Sep 18, 2025
The JetEngine plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 3.7.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
JetEngine <= 3.7.1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting
medium ✓ patched
cve id CVE-2025-54688 ↗
cvss score 6.4
cwe CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
published Jul 30, 2025
The JetEngine plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 3.7.1.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
JetEngine <= 3.7.0 - Authenticated (Subscriber+) Information Exposure
medium ✓ patched
cve id CVE-2025-53196 ↗
cvss score 4.3
cwe CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
published Jul 16, 2025
The JetEngine plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.7.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to extract sensitive user or configuration data.
JetEngine <= 3.7.1 - Authenticated (Contributor+) Server-Side Template Injection to Remote Code Execution
high ✓ patched
cve id CVE-2025-53194 ↗
cvss score 7.5
cwe CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine
published Jul 13, 2025
The JetEngine plugin for WordPress is vulnerable to Remote Code Execution via SSTI in all versions up to, and including, 3.7.1. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server.
JetEngine <= 3.7.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
medium ✓ patched
cve id CVE-2025-53195 ↗
cvss score 6.4
cwe CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
published Jun 27, 2025
The JetEngine plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 3.7.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
JetEngine <= 3.6.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
medium ✓ patched
cve id CVE-2025-26870 ↗
cvss score 6.4
cwe CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
published Apr 11, 2025
The JetEngine plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 3.6.4.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Jet Engine <= 3.6.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via list_tag Parameter
medium ✓ patched
cve id CVE-2025-0369 ↗
cvss score 6.4
cwe CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
published Jan 17, 2025
The JetEngine plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘list_tag’ parameter in all versions up to, and including, 3.6.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.