Popular WordPress Plugin Exposes 100,000+ Websites to Database Theft

Hackers can steal your entire WordPress database — customer records, passwords, private content — through a plugin used by over 100,000 websites, no login required.

What's happening

The JetEngine plugin, a popular tool for creating custom content on WordPress sites, contains a critical security flaw that lets attackers access any information stored in your website's database. This affects e-commerce stores with customer data, membership sites with user profiles, business directories, real estate listings, and any site using custom content types. The vulnerability means an attacker sitting anywhere in the world can potentially download your entire database — including usernames, email addresses, encrypted passwords, private posts, and sensitive business information — in minutes.

How the attack works

Think of this like a hotel concierge who takes requests over the phone. Normally, when you call and ask for information about a guest, the concierge checks a prepared list of approved questions. But in this case, the concierge accidentally allows callers to rewrite their own questions mid-conversation. An attacker can call JetEngine's search feature and, instead of searching for normal content, inject their own database commands. They might start with a innocent search like 'find all blog posts about cats' but then append malicious instructions like 'also show me every username and password.' The plugin blindly executes these hybrid requests, treating the malicious additions as legitimate database queries.

The technical reality

The vulnerability exists in JetEngine's Custom Content Type REST API search endpoint, where the _cct_search parameter gets interpolated directly into SQL queries via sprintf() without sanitization. WordPress's wp_unslash() function strips magic quotes protection from GET parameters, enabling single-quote-based SQL injection. This earns a CVSS score of 7.5 (HIGH) because it requires no authentication and can expose sensitive data across the entire database schema.

Who is at risk

Any WordPress site running JetEngine versions 3.8.6.1 and earlier faces immediate risk. This particularly impacts sites using JetEngine for custom post types, product catalogs, directory listings, portfolios, or membership content. The vulnerability affects the plugin regardless of hosting provider, WordPress version, or other security measures. Sites with JetEngine's REST API endpoints active — which is the default configuration — can be exploited by anyone who discovers the site uses this plugin. Security researchers at Wordfence discovered this flaw during routine plugin auditing, though no active exploitation campaigns have been confirmed yet.

What you should do right now

1. Update immediately: Log into your WordPress admin dashboard, navigate to Plugins, and update JetEngine to version 3.8.6.2 or later. If you manage multiple sites, prioritize those processing customer data or sensitive information.

2. Audit your database access: Check your server logs for unusual REST API requests to endpoints containing 'cct_search' from the past 30 days. Look for requests with single quotes, semicolons, or SQL keywords like 'UNION' or 'SELECT' in the URL parameters.

3. Implement additional protection: Install a Web Application Firewall like Wordfence or Sucuri that can block SQL injection attempts. Consider temporarily disabling JetEngine's REST API endpoints via your security plugin if you don't actively need the search functionality while you update.