Security Alert Summary
The JetEngine plugin for WordPress contains an SQL injection vulnerability in its Custom Content Type (CCT) REST API search endpoint that can be triggered without authentication when the CCT module is enabled and a public REST GET endpoint exists. The issue stems from unsanitized insertion of the _cct_search parameter into a SQL string, which may allow attackers to append SQL to existing queries and extract sensitive data from the database.
CVE Details
- CVE ID: CVE-2026-4352
- Affected component: JetEngine plugin for WordPress (Custom Content Types module and its CCT REST API search endpoint)
- Affected versions: All versions up to, and including, 3.8.6.1
- Published: April 14, 2026 at 2:16:05 AM UTC
- Last modified: April 14, 2026 at 2:16:05 AM UTC
- CVSS v3.1: Base Score 7.5, Severity HIGH, Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
- Attack vector / complexity: Network / Low
- Privileges required: None
- User interaction: None
- Scope: Unchanged
- Primary impact: Confidentiality: High; Integrity: None; Availability: None
- Weakness: CWE-89 (SQL Injection)
Technical Details
The vulnerability is an SQL injection in the Custom Content Type (CCT) REST API search endpoint. The plugin interpolates the _cct_search parameter directly into a SQL query string using sprintf() without performing sanitization or using $wpdb->prepare(). Additionally, the WordPress REST API applies wp_unslash() to $_GET, which removes the protection previously provided by wp_magic_quotes(), allowing single-quote-based injection to reach the query string.
Because the parameter can be injected into the SQL statement, an unauthenticated attacker may append additional SQL fragments to existing queries. Exploitation requires the Custom Content Types module to be enabled and at least one CCT configured with a public REST GET endpoint. The result is the potential disclosure of sensitive information from the database consistent with the CVSS confidentiality impact.
How This Could Impact Your Website
Consider a site with a site owner, internal staff (editors or content managers), and external contributors or contractors who rely on custom content types exposed via public REST endpoints. If a vulnerable JetEngine CCT endpoint is present and reachable, an unauthenticated attacker could craft requests that cause the site to return data from the database beyond the intended CCT records.
- Internal user email addresses or other sensitive fields stored in the database could be exposed, increasing the risk of targeted phishing or social engineering directed at staff.
- Data disclosure could reveal information about site structure, user roles, or content that facilitates further reconnaissance by an attacker.
- The impact is limited to data exposure as described; the CVSS metrics indicate confidentiality impact only, not integrity or availability by this vulnerability alone.
If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review your setup.
Recommended Actions
- Update the affected plugin as soon as a patched version is available.
- Review and reduce unnecessary user roles, especially contributors and any accounts with REST exposure.
- Enforce strong passwords and two-factor authentication for editors and administrators.
- Remove unused or unmaintained plugins and disable modules (such as unused CCTs) that expose public REST endpoints.
- Monitor site activity and logs for unusual requests to REST endpoints or unexpected query parameters.
If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.
