<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Jetengine - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/jetengine/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 30 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/jetengine/feed.xml" rel="self" type="application/rss+xml"/><item><title>JetEngine WordPress Plugin SQL Injection Vulnerability (CVE-2026-4352)</title><link>https://feed.craftedsignal.io/briefs/2024-01-jetengine-sqli/</link><pubDate>Tue, 30 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-jetengine-sqli/</guid><description>The JetEngine plugin for WordPress is vulnerable to SQL Injection via the Custom Content Type (CCT) REST API search endpoint, allowing unauthenticated attackers to extract sensitive database information.</description><content:encoded><![CDATA[<p>The JetEngine plugin for WordPress, a popular tool for creating custom content types, is vulnerable to SQL Injection via the Custom Content Type (CCT) REST API search endpoint. This vulnerability affects all versions up to and including 3.8.6.1. The root cause is the unsafe interpolation of the <code>_cct_search</code> parameter into a SQL query using <code>sprintf()</code> without proper sanitization or the use of <code>$wpdb-&gt;prepare()</code>.  The WordPress REST API's <code>wp_unslash()</code> function, which strips <code>wp_magic_quotes()</code> protection from the <code>$_GET</code> array, exacerbates the issue. Exploitation requires the Custom Content Types module to be enabled, with at least one CCT configured with a public REST GET endpoint. This vulnerability enables unauthenticated attackers to inject malicious SQL queries and potentially extract sensitive information from the WordPress database.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An unauthenticated attacker identifies a WordPress site using JetEngine plugin version 3.8.6.1 or earlier with at least one Custom Content Type configured with a public REST GET endpoint.</li>
<li>The attacker crafts a malicious HTTP GET request to the CCT REST API endpoint, including a SQL injection payload within the <code>_cct_search</code> parameter.</li>
<li>The WordPress REST API receives the request and calls the <code>wp_unslash()</code> function to strip the <code>wp_magic_quotes()</code> protection from the <code>$_GET</code> array, allowing the SQL injection payload to pass unfiltered.</li>
<li>The JetEngine plugin uses <code>sprintf()</code> to directly interpolate the unsanitized <code>_cct_search</code> parameter into a SQL query string.</li>
<li>The injected SQL code is executed against the WordPress database.</li>
<li>The attacker leverages the SQL injection to extract sensitive information such as user credentials, API keys, or other confidential data stored in the database.</li>
<li>The attacker may further exploit the vulnerability to modify or delete data within the database, potentially leading to a complete compromise of the WordPress site.</li>
<li>The attacker uses the compromised site as a beachhead for further attacks against the wider network infrastructure.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of this SQL injection vulnerability (CVE-2026-4352) can lead to the complete compromise of a WordPress website. An attacker can gain access to sensitive data, including user credentials, configuration files, and other confidential information stored within the database. This can result in data breaches, financial loss, and reputational damage. Given the widespread use of WordPress and the JetEngine plugin, a large number of websites are potentially vulnerable.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade the JetEngine plugin to the latest version (greater than 3.8.6.1) to patch CVE-2026-4352.</li>
<li>Deploy the Sigma rule <code>JetEngine_CCT_SQLi_Detection</code> to detect attempts to exploit this vulnerability via suspicious characters in the cs-uri-query field within web server logs.</li>
<li>Disable public REST GET endpoints for CCTs unless absolutely necessary to reduce the attack surface.</li>
<li>Review and sanitize all user-supplied input before using it in database queries to prevent SQL injection vulnerabilities.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>sqli</category><category>wordpress</category><category>jetengine</category><category>cve-2026-4352</category><category>web-application</category></item></channel></rss>