External risk intelligence

JetSearch SQL Injection Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.3)

CVE-2026-49079

An unauthenticated SQL injection vulnerability exists in the JetSearch plugin, potentially allowing attackers to access or modify sensitive database information. This could impact data confidentiality and integrity if the plugin is publicly reachable.

SQL Injection

Halo Surface Signal

Likely · external exposure

4Halo Surface Signal

This vulnerability affects a WordPress plugin (JetSearch) designed to provide search functionality on websites. As such, the vulnerable component is typically deployed as part of a public-facing web application, making it commonly reachable from the internet in standard deployments.

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability has been identified in the JetSearch plugin, a tool used for website search functionality. This SQL injection flaw allows unauthenticated attackers to potentially access or manipulate sensitive database information over the network. While the exact business impact requires confirming if this plugin is in use, such vulnerabilities can, in high-level terms, expose an organization's data.

  • Unauthenticated attackers can inject malicious SQL commands.
  • Affects common website search functionality.
  • Confirm relevance and assess potential exposure.

Attack Path

How an attacker could exploit the issue

An unauthenticated attacker could exploit this vulnerability by sending specially crafted requests to a website using the affected JetSearch plugin. This could allow them to inject malicious SQL code into the application's database queries. If successful, this could lead to the disclosure of sensitive data or unauthorized database modifications.

  • No authentication required.
  • Target vulnerable SQL query.
  • Data disclosure or modification.

Live Threat

Current exploitation, exposure, and threat context

Unauthenticated SQL injection in the JetSearch plugin could allow an attacker to query or manipulate the website's database. This may occur when the affected plugin is used on a WordPress site.

  • Database integrity and confidentiality.
  • Unauthenticated network requests.
  • Compromised or leaked sensitive data.

Operational Fix

Recommended remediation, mitigation, and detection steps

This unauthenticated SQL injection vulnerability in the JetSearch plugin impacts websites utilizing this search functionality. Responsibility for addressing this typically falls to the website's application owners and the infrastructure or platform teams managing the web hosting environment, with potential coordination from security teams. The first critical step is to identify all instances of the affected plugin, confirm their exposure and business criticality, and then prioritize remediation based on this risk assessment.

  • Application owners should manage the fix.
  • Verify public exposure and business impact.
  • Plan remediation during maintenance windows.

Supplementary metadata

PCI scan relevance

Yes

CVE-2026-49079 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This vulnerability is an unauthenticated SQL injection, which is a type of vulnerability that would cause an ASV scan to fail under PCI DSS Requirement 11.3.2.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Free EASM Trial See How Signal Works

Frequently asked questions

What is the JetSearch plugin used for?

JetSearch is a WordPress plugin designed to add search functionality to websites. It allows visitors to search for content, products, or posts within a site. Because it interacts directly with the site's database to retrieve these results, it acts as a bridge between user queries and stored information.

How does this SQL injection vulnerability work?

This flaw belongs to the CWE-89 weakness class, which occurs when an application fails to properly sanitize user input before including it in a database query. In CVE-2026-49079, the plugin does not safely handle requests, allowing an attacker to insert their own SQL commands. These commands are then executed by the database, potentially returning unintended data or altering records.

Do I need to be logged in to trigger this bug?

No. This vulnerability is unauthenticated, meaning an attacker does not need an account or administrative access to the website to attempt the attack. It is triggered by sending specially crafted network requests to the search functionality of the site. Simply visiting the site or interacting with standard, safe search fields does not inherently trigger the vulnerability; it requires specifically malicious inputs designed to manipulate the underlying query.

Why should I care about CVE-2026-49079?

According to Halo Surface Signal, this plugin is typically deployed on public-facing web applications. Because JetSearch is meant to be used by site visitors, it is commonly reachable from the internet. If your site uses an affected version, it is likely exposed to remote attackers, making it important to determine if your specific environment is reachable.

How do I respond if I am running JetSearch?

Start by identifying all instances of the JetSearch plugin within your WordPress environments to see which sites are running versions 3.5.17 or older. Once identified, confirm the business criticality of those sites and evaluate their exposure to the internet. Coordinate with your team to prioritize updates or protective measures during your next scheduled maintenance window.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished