CVE-2026-56068: WordPress JetEngine plugin <= 3.8.10.2 - SQL Injection vulnerability
Unauthenticated SQL Injection in JetEngine <= 3.8.10.2 versions.
Metrics
- CVSS v3.1
- 9.3
- Severity
- CRITICAL
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
An unauthenticated SQL injection vulnerability affects the JetEngine WordPress plugin at version 3.8.10.2 and earlier. The flaw is reachable over the network with no credentials required, making it exploitable by any external party who can reach the WordPress installation. Successful exploitation gives an attacker read access to the database contents and limited ability to disrupt service availability. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is published.
HarborGuard Coverage
Detection for CVE-2026-56068 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream advisory feeds, including Patchstack. Coverage extends to custom-built images that bundle the JetEngine plugin, not only official distribution images.
AvailableTriage is available with a CVSS v3.1 score of 9.3 (Critical) applied to each matched image, weighted against per-environment compliance policies to reflect the actual exposure level in each customer org. Findings are routed to the appropriate team inbox based on each customer's configured ownership rules.
AvailableNo fix version has been published upstream for CVE-2026-56068, so HarborGuard re-evaluates the advisory on every ingest cycle and will make a patched-image rebuild available the moment Crocoblock ships a remediated release. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be triggered automatically at that point.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The vulnerable endpoint is exposed over the network, so an attacker must be able to send HTTP requests to the WordPress installation.
- AuthenticationNot required
No account or session credentials are needed; the injection is reachable by any unauthenticated request.
- Victim interactionNot required
The attack is entirely server-side and requires no action from any user or administrator of the target site.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special conditions, race windows, or environmental factors to succeed.
Blast Radius
- An attacker reads arbitrary rows from the WordPress database, including stored user credentials, session tokens, and any plugin or site configuration data.
- Because the vulnerability carries a changed scope, database contents from the affected WordPress instance can be extracted regardless of logical separation between components.
- The availability impact is low but present, meaning crafted queries can degrade or partially disrupt database responsiveness for the affected installation.
How HarborGuard Handles This
Available on HarborGuard: CVE-2026-56068 is flagged as Critical (CVSS 9.3) with no upstream fix currently published, so the immediate priority is detection and containment. HarborGuard monitors the Patchstack advisory and all linked upstream sources on every ingest cycle and will surface a patched-image rebuild the moment Crocoblock releases a remediated version of JetEngine. For customers with auto-remediation enabled, that rebuild will be paired with a regression run and a PR opened against affected workloads automatically. In the interim, compensating controls worth considering include network-policy rules that restrict public access to the WordPress installation to known IP ranges, web application firewall rules targeting SQL injection patterns in the specific plugin routes, and disabling or feature-flag-gating the JetEngine functionality if it is not actively required in a given environment.
- Crocoblock. Jetimpex Inc. / JetEngine≤ 3.8.10.2
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L