Jetengine

The JetEngine plugin for WordPress is vulnerable to SQL Injection via the `listing_load_more` AJAX action in all versions up to, and including, 3.8.6.1. This is due to the `filtered_query` parameter being excluded from the HMAC signature validation (allowing attacker-controlled input to bypass security checks) combined with the `prepare_where_clause()` method in the SQL Query Builder not sanitizing the `compare` operator before concatenating it into SQL statements. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database, provided the site has a JetEngine Listing Grid with Load More enabled that uses a SQL Query Builder query.

Published: 2026-03-24T04:27:50.452Z
Updated: 2026-04-08T17:32:21.875Z

The JetEngine plugin for WordPress is vulnerable to SQL Injection via the Custom Content Type (CCT) REST API search endpoint in all versions up to, and including, 3.8.6.1. This is due to the `_cct_search` parameter being interpolated directly into a SQL query string via `sprintf()` without sanitization or use of `$wpdb->prepare()`. WordPress REST API's `wp_unslash()` call on `$_GET` strips the `wp_magic_quotes()` protection, allowing single-quote-based injection. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. The Custom Content Types module must be enabled with at least one CCT configured with a public REST GET endpoint for exploitation.

Published: 2026-04-14T01:25:01.077Z
Updated: 2026-04-14T14:04:52.928Z

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Crocoblock JetEngine allows SQL Injection. This issue affects JetEngine: from n/a through 3.8.8.1.

Published: 2026-05-25T22:34:09.714Z
Updated: 2026-05-26T15:18:56.765Z

Deserialization of Untrusted Data vulnerability in Crocoblock JetEngine jet-engine allows Object Injection.This issue affects JetEngine: from n/a through < 3.8.4.1.

Published: 2026-03-13T11:42:00.737Z
Updated: 2026-04-29T09:51:57.881Z

Improper Control of Generation of Code ('Code Injection') vulnerability in Crocoblock JetEngine jet-engine allows Remote Code Inclusion.This issue affects JetEngine: from n/a through <= 3.7.2.

Published: 2026-03-05T05:54:31.474Z
Updated: 2026-04-28T16:15:09.346Z

Missing Authorization vulnerability in Crocoblock JetEngine jet-engine allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects JetEngine: from n/a through <= 3.8.1.1.

Published: 2026-01-07T11:52:24.090Z
Updated: 2026-04-28T16:14:37.719Z

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetEngine jet-engine allows Reflected XSS.This issue affects JetEngine: from n/a through <= 3.8.0.

Published: 2026-02-20T15:46:38.333Z
Updated: 2026-04-28T19:59:35.697Z

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetEngine jet-engine allows Reflected XSS.This issue affects JetEngine: from n/a through <= 3.7.7.

Published: 2026-01-22T16:51:52.714Z
Updated: 2026-04-28T19:26:28.518Z

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetEngine jet-engine allows Stored XSS.This issue affects JetEngine: from n/a through <= 3.7.1.2.

Published: 2025-08-14T10:34:49.257Z
Updated: 2026-04-28T16:13:34.906Z

Insertion of Sensitive Information Into Sent Data vulnerability in Crocoblock JetEngine jet-engine allows Retrieve Embedded Sensitive Data.This issue affects JetEngine: from n/a through <= 3.7.0.

Published: 2025-08-20T08:03:21.927Z
Updated: 2026-04-29T09:51:56.722Z

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetEngine jet-engine allows Stored XSS.This issue affects JetEngine: from n/a through <= 3.7.0.

Published: 2025-08-20T08:03:22.441Z
Updated: 2026-04-28T16:13:20.071Z

Deserialization of Untrusted Data vulnerability in Crocoblock JetEngine jet-engine allows Code Injection.This issue affects JetEngine: from n/a through <= 3.7.0.

Published: 2025-08-20T08:03:22.956Z
Updated: 2026-04-28T16:13:20.077Z

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetEngine jet-engine allows Stored XSS.This issue affects JetEngine: from n/a through <= 3.7.3.

Published: 2025-10-22T14:32:16.875Z
Updated: 2026-04-28T20:26:02.899Z

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetEngine jet-engine allows DOM-Based XSS.This issue affects JetEngine: from n/a through <= 3.6.4.1.

Published: 2025-04-15T21:53:11.010Z
Updated: 2026-04-28T16:11:40.858Z

The JetEngine plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘list_tag’ parameter in all versions up to, and including, 3.6.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Published: 2025-01-18T07:05:10.395Z
Updated: 2026-04-08T17:32:38.460Z

Missing Authorization vulnerability in Crocoblock JetEngine jet-engine allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects JetEngine: from n/a through <= 3.2.4.

Published: 2025-01-02T14:14:17.899Z
Updated: 2026-04-29T09:51:52.404Z

Improper Privilege Management vulnerability in Crocoblock JetEngine allows Privilege Escalation.This issue affects JetEngine: from n/a through 3.2.4.

Published: 2024-05-17T08:38:18.542Z
Updated: 2026-04-28T16:08:54.864Z

Crocoblock JetEngine before 2.6.1 allows XSS by remote authenticated users via a custom form input.

Published: 2021-08-16T12:15:32.000Z
Updated: 2024-08-04T01:44:23.526Z