Crocoblock Jetengine vulnerabilities
20 known vulnerabilities affecting crocoblock/jetengine.
Total CVEs
20
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL2HIGH10MEDIUM8
Vulnerabilities
Page 1 of 1
CVE-2026-42774P2CRITICALCVSS 9.3≥ n/a, ≤ 3.8.8.12026-05-25
CVE-2026-42774 [CRITICAL] CWE-89 CVE-2026-42774: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability i
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Crocoblock JetEngine allows SQL Injection.
This issue affects JetEngine: from n/a through 3.8.8.1.
cvelistv5nvd
CVE-2026-32355P3HIGHCVSS 8.8≤ 3.8.4.12026-03-13
CVE-2026-32355 [HIGH] CWE-502 CVE-2026-32355: Deserialization of Untrusted Data vulnerability in Crocoblock JetEngine jet-engine allows Object Inj
Deserialization of Untrusted Data vulnerability in Crocoblock JetEngine jet-engine allows Object Injection.This issue affects JetEngine: from n/a through < 3.8.4.1.
nvd
CVE-2023-48757P3HIGHCVSS 8.8≥ n/a, ≤ 3.2.42024-05-17
CVE-2023-48757 [HIGH] CWE-269 CVE-2023-48757: Improper Privilege Management vulnerability in Crocoblock JetEngine allows Privilege Escalation.This
Improper Privilege Management vulnerability in Crocoblock JetEngine allows Privilege Escalation.This issue affects JetEngine: from n/a through 3.2.4.
nvd
CVE-2026-28134P3HIGHCVSS 8.5≤ 3.7.22026-03-05
CVE-2026-28134 [HIGH] CWE-94 CVE-2026-28134: Improper Control of Generation of Code ('Code Injection') vulnerability in Crocoblock JetEngine jet-
Improper Control of Generation of Code ('Code Injection') vulnerability in Crocoblock JetEngine jet-engine allows Remote Code Inclusion.This issue affects JetEngine: from n/a through <= 3.7.2.
nvd
CVE-2026-4352P3HIGHCVSS 7.5≤ 3.8.6.12026-04-14
CVE-2026-4352 [HIGH] CWE-89 CVE-2026-4352: The JetEngine plugin for WordPress is vulnerable to SQL Injection via the Custom Content Type (CCT)
The JetEngine plugin for WordPress is vulnerable to SQL Injection via the Custom Content Type (CCT) REST API search endpoint in all versions up to, and including, 3.8.6.1. This is due to the `_cct_search` parameter being interpolated directly into a SQL query string via `sprintf()` without sanitization or use of `$wpdb->prepare()`. WordPress REST API's `w
nvd
CVE-2025-53194P3HIGHCVSS 8.5≤ 3.7.02025-08-20
CVE-2025-53194 [HIGH] CWE-82 CVE-2025-53194: Deserialization of Untrusted Data vulnerability in Crocoblock JetEngine jet-engine allows Code Injec
Deserialization of Untrusted Data vulnerability in Crocoblock JetEngine jet-engine allows Code Injection.This issue affects JetEngine: from n/a through <= 3.7.0.
nvd
CVE-2026-4662P3HIGHCVSS 7.5≤ 3.8.6.12026-03-24
CVE-2026-4662 [HIGH] CWE-89 CVE-2026-4662: The JetEngine plugin for WordPress is vulnerable to SQL Injection via the `listing_load_more` AJAX a
The JetEngine plugin for WordPress is vulnerable to SQL Injection via the `listing_load_more` AJAX action in all versions up to, and including, 3.8.6.1. This is due to the `filtered_query` parameter being excluded from the HMAC signature validation (allowing attacker-controlled input to bypass security checks) combined with the `prepare_where_clause()` m
nvd
CVE-2021-41844P3CRITICALCVSS 9.8fixed in 2.9.12021-12-15
CVE-2021-41844 [CRITICAL] CWE-20 CVE-2021-41844: Crocoblock JetEngine before 2.9.1 does not properly validate and sanitize form data.
Crocoblock JetEngine before 2.9.1 does not properly validate and sanitize form data.
nvd
CVE-2023-48758P3HIGHCVSS 7.1≤ 3.2.42025-01-02
CVE-2023-48758 [HIGH] CWE-862 CVE-2023-48758: Missing Authorization vulnerability in Crocoblock JetEngine jet-engine allows Exploiting Incorrectly
Missing Authorization vulnerability in Crocoblock JetEngine jet-engine allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects JetEngine: from n/a through <= 3.2.4.
nvd
CVE-2025-53196P4MEDIUMCVSS 6.5≤ 3.7.02025-08-20
CVE-2025-53196 [MEDIUM] CWE-201 CVE-2025-53196: Insertion of Sensitive Information Into Sent Data vulnerability in Crocoblock JetEngine jet-engine a
Insertion of Sensitive Information Into Sent Data vulnerability in Crocoblock JetEngine jet-engine allows Retrieve Embedded Sensitive Data.This issue affects JetEngine: from n/a through <= 3.7.0.
nvd
CVE-2025-0369P4MEDIUMCVSS 6.4≤ 3.6.22025-01-18
CVE-2025-0369 [MEDIUM] CWE-79 CVE-2025-0369: The JetEngine plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘list_tag’ p
The JetEngine plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘list_tag’ parameter in all versions up to, and including, 3.6.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that wi
nvd
CVE-2025-49938P4MEDIUMCVSS 6.5≤ 3.7.32025-10-22
CVE-2025-49938 [MEDIUM] CWE-79 CVE-2025-49938: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability i
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetEngine jet-engine allows Stored XSS.This issue affects JetEngine: from n/a through <= 3.7.3.
nvd
CVE-2025-67923P4HIGHCVSS 7.1≤ 3.7.72026-01-22
CVE-2025-67923 [HIGH] CWE-79 CVE-2025-67923: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability i
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetEngine jet-engine allows Reflected XSS.This issue affects JetEngine: from n/a through <= 3.7.7.
nvd
CVE-2025-53195P4MEDIUMCVSS 6.5≤ 3.7.02025-08-20
CVE-2025-53195 [MEDIUM] CWE-79 CVE-2025-53195: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability i
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetEngine jet-engine allows Stored XSS.This issue affects JetEngine: from n/a through <= 3.7.0.
nvd
CVE-2025-54688P4MEDIUMCVSS 6.5≤ 3.7.1.22025-08-14
CVE-2025-54688 [MEDIUM] CWE-79 CVE-2025-54688: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability i
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetEngine jet-engine allows Stored XSS.This issue affects JetEngine: from n/a through <= 3.7.1.2.
nvd
CVE-2025-68495P4HIGHCVSS 7.1≤ 3.8.02026-02-20
CVE-2025-68495 [HIGH] CWE-79 CVE-2025-68495: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability i
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetEngine jet-engine allows Reflected XSS.This issue affects JetEngine: from n/a through <= 3.8.0.
nvd
CVE-2025-26870P4MEDIUMCVSS 6.5≤ 3.6.4.12025-04-15
CVE-2025-26870 [MEDIUM] CWE-79 CVE-2025-26870: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability i
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetEngine jet-engine allows DOM-Based XSS.This issue affects JetEngine: from n/a through <= 3.6.4.1.
nvd
CVE-2021-38607P4MEDIUMCVSS 5.4fixed in 2.6.12021-08-16
CVE-2021-38607 [MEDIUM] CWE-79 CVE-2021-38607: Crocoblock JetEngine before 2.6.1 allows XSS by remote authenticated users via a custom form input.
Crocoblock JetEngine before 2.6.1 allows XSS by remote authenticated users via a custom form input.
nvd
CVE-2025-69333P4MEDIUMCVSS 4.3≤ 3.8.1.12026-01-07
CVE-2025-69333 [MEDIUM] CWE-862 CVE-2025-69333: Missing Authorization vulnerability in Crocoblock JetEngine jet-engine allows Exploiting Incorrectly
Missing Authorization vulnerability in Crocoblock JetEngine jet-engine allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects JetEngine: from n/a through <= 3.8.1.1.
nvd
CVE-2026-12360HIGHCVSS 7.5≤ 3.8.10.12026-06-17
CVE-2026-12360 [HIGH] CWE-89 JetEngine <= 3.8.10.1 - Unauthenticated SQL Injection via Listing Grid Load More AJAX Endpoint
JetEngine <= 3.8.10.1 - Unauthenticated SQL Injection via Listing Grid Load More AJAX Endpoint
The JetEngine plugin for WordPress is vulnerable to SQL injection in all versions up to and including 3.8.10.1. The listing_load_more AJAX handler accepts a filtered_query parameter that is intentionally excluded from the HMAC query signature check to support front-end filter int
cvelistv5