External risk intelligence

JetEngine SQL Injection Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.3)

CVE-2026-54187

A critical unauthenticated SQL injection vulnerability exists in the JetEngine WordPress plugin. Attackers can exploit this flaw remotely to inject malicious SQL commands, potentially leading to unauthorized access and manipulation of sensitive database information. This poses a risk to data integrity and confidentiali

4Halo Surface Signal

SQL Injection

External exposure likelihood

Halo Surface Signal score for CVE-2026-54187

JetEngine is a WordPress plugin designed to extend website functionality. As a public-facing web component, it is commonly deployed in internet-facing web applications, making it accessible to remote users and automated scanners by default.

PCI scan relevance

PCI Relevance for CVE-2026-54187

Yes

CVE-2026-54187 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This unauthenticated SQL injection vulnerability in JetEngine allows for remote code execution and requires remediation for PCI compliance.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability has been identified in JetEngine, a WordPress plugin, allowing unauthenticated attackers to inject SQL commands. This could potentially lead to unauthorized access or manipulation of sensitive data stored within affected systems. The main concern is confirming relevance and exposure to this type of plugin.

  • Unauthenticated SQL injection flaw found.
  • Affects internet-facing web applications.
  • Confirm relevance and exposure.

Attack Path

How an attacker could exploit the issue

An unauthenticated attacker can target the JetEngine plugin on a website, potentially through a network-accessible interface. By sending specially crafted input to the plugin, an attacker could trigger a SQL injection vulnerability. Successful exploitation could allow the attacker to access or manipulate backend database information.

  • No authentication required.
  • SQL injection via crafted input.
  • Data access and manipulation risk.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an unauthenticated attacker to inject SQL commands into the application when it processes specific requests. When successful, this could lead to unauthorized access and manipulation of the application's database.

  • Database information could be exposed.
  • Attacker sends crafted requests to the application.
  • Unauthorized access to sensitive data.

Operational Fix

Recommended remediation, mitigation, and detection steps

This SQL injection vulnerability in JetEngine affects internet-facing web applications, requiring coordination between application owners and the security team. The first practical step is to inventory all JetEngine deployments, confirm their exposure, identify accountable owners, and then plan remediation based on business criticality and risk.

  • Application owners should manage the issue.
  • Verify external reachability and business impact.
  • Plan remediation during maintenance windows.

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Free EASM Trial See How Signal Works

Frequently asked questions

What is the JetEngine plugin used for?

JetEngine is a widely used plugin for WordPress sites that helps developers build dynamic content structures. It allows users to create custom post types, taxonomies, and meta fields without writing complex code. By extending the core capabilities of the WordPress database, it enables the display of sophisticated, data-driven layouts, which makes it a common component in many modern, content-heavy websites.

What does CVE-2026-54187 mean for my database?

This vulnerability is classified as a SQL Injection (CWE-89). It means that the software fails to properly sanitize user-provided data before using it in database queries. Because of this weakness, an attacker can input malicious commands that the system unknowingly executes. This could allow unauthorized parties to view sensitive information stored in your backend database or potentially alter existing data.

How is this SQL injection triggered?

The flaw is triggered when an attacker sends specially crafted requests to the plugin's functions. Because it is an unauthenticated vulnerability, the attacker does not need a user account or login privileges to initiate the attack. However, simply visiting the site normally does not trigger the bug; it requires a specific, intentional payload designed to interact with the vulnerable code path.

Why does Halo Surface Signal categorize this as an external risk?

Halo Surface Signal flags this as an external risk because JetEngine is typically deployed on web-facing servers to enhance site functionality. Since it is often reachable from the internet, remote actors—not just local users—can attempt to interact with the plugin. This broad accessibility increases the likelihood that a vulnerable instance could be discovered and targeted from outside your private network.

What should I do if I use JetEngine?

Start by identifying every WordPress site in your environment where JetEngine is currently active. Once you have a complete inventory, verify which instances are accessible over the internet versus those kept on internal-only networks. Coordinate with your technical teams to confirm the version in use and monitor for official updates that address this security gap to ensure your database remains protected.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished