External risk intelligence

JetEngine Unauthenticated SQL Injection Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.3)

CVE-2026-49084

An unauthenticated SQL injection vulnerability exists in JetEngine, potentially allowing attackers to access or manipulate sensitive database information. This issue is classified as external and likely reachable from the internet, posing a risk to data integrity and confidentiality. Confirming the presence and reachab

SQL Injection

Halo Surface Signal

Likely · external exposure

4Halo Surface Signal

This vulnerability affects a WordPress plugin, which is a type of web application component commonly deployed as a public-facing website or web service. As an internet-facing application, the plugin's functionality is directly accessible to external users, making it likely to be reachable from the internet in standard deployments.

Horizon Alert

Summary of the vulnerability and why it matters

This advisory concerns an unauthenticated SQL injection vulnerability found in JetEngine. This type of technical flaw can sometimes allow unauthorized access to or manipulation of data within a system. The primary concern at this stage is to confirm if this technology is present within our environment.

  • Unauthenticated code can access database information.
  • Executive visibility into potential data exposure risks.
  • Confirm relevance and assess exposure to this vulnerability.

Attack Path

How an attacker could exploit the issue

An attacker can exploit this vulnerability by sending specially crafted requests over the network to the JetEngine plugin. Because no authentication is required, an unauthenticated user can interact with the plugin's features. This interaction targets a flaw in how the plugin handles user input, potentially leading to unauthorized access to database information.

  • No authentication needed.
  • User input triggers SQL injection.
  • Unauthorized database access risk.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an unauthenticated attacker to perform SQL injection attacks against the affected system. When supported by the advisory's context, this could lead to unauthorized access to or modification of sensitive database information.

  • Database integrity and confidentiality.
  • Injection via unauthenticated network requests.
  • Unauthorized data access or modification.

Operational Fix

Recommended remediation, mitigation, and detection steps

The critical SQL injection vulnerability in JetEngine affects unauthenticated users and is likely exposed externally. Application owners and platform teams are typically responsible for managing plugins like JetEngine. The first practical step is to identify all instances of the affected technology, determine their reachability and business criticality, and then prioritize remediation efforts based on risk.

  • Application owners should own the issue.
  • Verify plugin reachability and criticality.
  • Plan remediation based on exposure.

Supplementary metadata

PCI scan relevance

Yes

CVE-2026-49084 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This vulnerability is a SQL injection, which is a known issue that can cause a PCI ASV scan to fail.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Free EASM Trial See How Signal Works

Frequently asked questions

What is the JetEngine plugin?

JetEngine is a popular WordPress plugin used to build dynamic websites by adding custom fields, post types, and listings. It serves as a core component for site owners to manage data structures and content display layouts within their WordPress environment.

What does CVE-2026-49084 mean by SQL injection?

This vulnerability is classified as CWE-89, or Improper Neutralization of Special Elements used in an SQL Command. It means the software does not properly filter user input before using it to query the database. Consequently, an attacker can manipulate these queries to access or reveal sensitive information stored in the system's database.

How does an attacker trigger this vulnerability?

An attacker triggers this flaw by sending specially crafted network requests to the JetEngine plugin. Because the vulnerability does not require authentication, the attacker does not need to log in or hold a user account to interact with the plugin. Simple, legitimate administrative actions performed by authorized users within the WordPress dashboard do not trigger this specific security flaw.

Is my website at risk from this CVE?

According to Halo Surface Signal, this vulnerability is likely reachable from the internet. Since JetEngine is a WordPress plugin typically deployed on public-facing websites, any instance accessible via the web may be reachable by external actors. If your installation of JetEngine is internet-facing, it should be prioritized for review.

What steps should I take if I use JetEngine?

First, conduct an inventory of all your WordPress sites to identify which instances run the affected plugin versions. Work with your platform team to assess the business criticality of these sites and verify their network reachability. Finally, ensure you are tracking official vendor updates to move toward remediation.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished