{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/jetengine/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-4352"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["JetEngine plugin"],"_cs_severities":["critical"],"_cs_tags":["sqli","wordpress","jetengine","cve-2026-4352","web-application"],"_cs_type":"advisory","_cs_vendors":["JetEngine"],"content_html":"\u003cp\u003eThe JetEngine plugin for WordPress, a popular tool for creating custom content types, is vulnerable to SQL Injection via the Custom Content Type (CCT) REST API search endpoint. This vulnerability affects all versions up to and including 3.8.6.1. The root cause is the unsafe interpolation of the \u003ccode\u003e_cct_search\u003c/code\u003e parameter into a SQL query using \u003ccode\u003esprintf()\u003c/code\u003e without proper sanitization or the use of \u003ccode\u003e$wpdb-\u0026gt;prepare()\u003c/code\u003e.  The WordPress REST API's \u003ccode\u003ewp_unslash()\u003c/code\u003e function, which strips \u003ccode\u003ewp_magic_quotes()\u003c/code\u003e protection from the \u003ccode\u003e$_GET\u003c/code\u003e array, exacerbates the issue. Exploitation requires the Custom Content Types module to be enabled, with at least one CCT configured with a public REST GET endpoint. This vulnerability enables unauthenticated attackers to inject malicious SQL queries and potentially extract sensitive information from the WordPress database.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a WordPress site using JetEngine plugin version 3.8.6.1 or earlier with at least one Custom Content Type configured with a public REST GET endpoint.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP GET request to the CCT REST API endpoint, including a SQL injection payload within the \u003ccode\u003e_cct_search\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eThe WordPress REST API receives the request and calls the \u003ccode\u003ewp_unslash()\u003c/code\u003e function to strip the \u003ccode\u003ewp_magic_quotes()\u003c/code\u003e protection from the \u003ccode\u003e$_GET\u003c/code\u003e array, allowing the SQL injection payload to pass unfiltered.\u003c/li\u003e\n\u003cli\u003eThe JetEngine plugin uses \u003ccode\u003esprintf()\u003c/code\u003e to directly interpolate the unsanitized \u003ccode\u003e_cct_search\u003c/code\u003e parameter into a SQL query string.\u003c/li\u003e\n\u003cli\u003eThe injected SQL code is executed against the WordPress database.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the SQL injection to extract sensitive information such as user credentials, API keys, or other confidential data stored in the database.\u003c/li\u003e\n\u003cli\u003eThe attacker may further exploit the vulnerability to modify or delete data within the database, potentially leading to a complete compromise of the WordPress site.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised site as a beachhead for further attacks against the wider network infrastructure.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SQL injection vulnerability (CVE-2026-4352) can lead to the complete compromise of a WordPress website. An attacker can gain access to sensitive data, including user credentials, configuration files, and other confidential information stored within the database. This can result in data breaches, financial loss, and reputational damage. Given the widespread use of WordPress and the JetEngine plugin, a large number of websites are potentially vulnerable.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the JetEngine plugin to the latest version (greater than 3.8.6.1) to patch CVE-2026-4352.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eJetEngine_CCT_SQLi_Detection\u003c/code\u003e to detect attempts to exploit this vulnerability via suspicious characters in the cs-uri-query field within web server logs.\u003c/li\u003e\n\u003cli\u003eDisable public REST GET endpoints for CCTs unless absolutely necessary to reduce the attack surface.\u003c/li\u003e\n\u003cli\u003eReview and sanitize all user-supplied input before using it in database queries to prevent SQL injection vulnerabilities.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-30T12:00:00Z","date_published":"2024-01-30T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-jetengine-sqli/","summary":"The JetEngine plugin for WordPress is vulnerable to SQL Injection via the Custom Content Type (CCT) REST API search endpoint, allowing unauthenticated attackers to extract sensitive database information.","title":"JetEngine WordPress Plugin SQL Injection Vulnerability (CVE-2026-4352)","url":"https://feed.craftedsignal.io/briefs/2024-01-jetengine-sqli/"}],"language":"en","title":"CraftedSignal Threat Feed - Jetengine","version":"https://jsonfeed.org/version/1.1"}