External risk intelligence

JetEngine Unauthenticated SQL Injection Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.3)

CVE-2026-49076

An unauthenticated SQL injection vulnerability exists in the JetEngine plugin, potentially allowing attackers to access or manipulate data without authentication. This could lead to unauthorized data exposure or system compromise if the plugin is exposed to the network.

SQL Injection

Halo Surface Signal

Likely · external exposure

4Halo Surface Signal

The vulnerability affects a WordPress plugin, which is typically deployed as a public-facing web application. Web plugins are designed to be reachable via the internet to serve users, making them a common part of the exposed attack surface for web servers.

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability has been identified in the JetEngine plugin, affecting its SQL injection capabilities. This issue is particularly concerning as it can be exploited without requiring any user authentication, potentially allowing unauthorized access or manipulation of data. The main concern is confirming if this plugin is in use and if so, to what extent.

  • Unauthenticated SQL injection in a plugin.
  • Could lead to unauthorized data access.
  • Confirm plugin usage and exposure.

Attack Path

How an attacker could exploit the issue

An attacker can target this vulnerability through the internet without needing any credentials. The vulnerability exists within the JetEngine plugin, specifically in how it handles SQL queries. When this SQL injection vulnerability is triggered, it could potentially allow an attacker to access sensitive data or manipulate the database.

  • Network access is required.
  • Unauthenticated SQL injection in the plugin.
  • Potential for data exposure or database manipulation.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an unauthenticated attacker to inject malicious SQL commands into a targeted system. When supported by the advisory, this could affect database integrity and potentially expose sensitive information.

  • Database content may be at risk.
  • Unauthenticated network access could enable injection.
  • Unauthorized data access or system compromise may occur.

Operational Fix

Recommended remediation, mitigation, and detection steps

This unauthenticated SQL injection vulnerability in JetEngine affects web applications, likely managed by platform or infrastructure teams responsible for the web server and its plugins. The first step is to identify all instances of the affected plugin, determine their exposure and business criticality, and then assign ownership for remediation planning.

  • Platform or infrastructure teams own the issue.
  • Verify plugin reachability and business criticality.
  • Plan remediation based on exposure and risk.

Supplementary metadata

PCI scan relevance

Yes

CVE-2026-49076 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This vulnerability involves unauthenticated SQL injection, which is a type of vulnerability that typically causes an automatic failure in PCI ASV scans.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Free EASM Trial See How Signal Works

Frequently asked questions

What is the JetEngine plugin?

JetEngine is a popular WordPress plugin used to add dynamic functionality to websites. It allows site administrators to create custom post types, taxonomies, and advanced data listings, often serving as the backbone for complex content displays that interact directly with the underlying site database.

What is the weakness in CVE-2026-49076?

This vulnerability is classified as CWE-89, or SQL Injection. It occurs when a software component fails to properly filter user-supplied data before incorporating it into database queries. In this case, it allows an unauthenticated party to manipulate the SQL commands the plugin sends to the database, potentially bypassing data access controls.

How can an attacker trigger this vulnerability?

An attacker triggers this by sending specially crafted web requests to the affected plugin. Because it is unauthenticated, no login or special user privileges are required to initiate the attack. Crucially, simply browsing the site normally does not trigger the flaw; it requires specifically malicious inputs designed to influence query logic.

Is my site at risk according to Halo Surface Signal?

Halo Surface Signal flags this as a likely concern because JetEngine is a WordPress plugin, which is typically installed to provide features for visitors. Since these features are intended to be reachable over the internet, the plugin is naturally part of your site's public-facing surface, making it accessible to remote actors.

Do I need to take action to secure my environment?

Yes. First, perform an inventory to locate all instances of the JetEngine plugin within your infrastructure. Once identified, evaluate the business criticality and network exposure of each instance. Coordinate with your platform or web management team to track this plugin and prepare for updates or configuration changes to mitigate the risk.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished