VulnTitan VulnTitan Security command center
Plugin Vulnerability Hub
Plugin 15 known issues Latest disclosed Mar 23, 2026

JetEngine Vulnerabilities

Review known vulnerability records for the WordPress plugin JetEngine (`jet-engine`), including severity, CVE references, affected versions, and patch status.

View on WordPress.org Back to Feed
Known Records
15
High or Critical
7
Linked CVEs
15
Last Updated
Mar 23, 2026
Coverage Snapshot

What this page helps you verify fast

This hub clusters every indexed record for JetEngine so operators can quickly confirm whether a disclosed issue maps to the installed slug and version range.

Patch Visibility
15 records include a published patch path.
Severity Mix
0 critical and 7 high severity findings.
Reference Workflow
Jump from the hub into the full report when you need remediation notes, CVSS vector details, or source references.
Known Vulnerabilities

Reports for JetEngine

Sorted by latest disclosure date so newly published issues surface first.

Plugin High Patched: Yes CVE-2026-4662
JetEngine <= 3.8.6.1 - Unauthenticated SQL Injection via Listing Grid 'filtered_query' Parameter

The JetEngine plugin for WordPress is vulnerable to SQL Injection via the `listing_load_more` AJAX action in all versions up to, and including, 3.8.6.1. This is due to the `filtered_query` parameter being excluded from the HMAC signature validation (allowing attacker-controlled i...

Published
Mar 23, 2026
Patched Release
3.8.6.2
Affected Versions
Versions up to 3.8.6.1
Next Step
Update to 3.8.6.2 or newer if supported.
Open Full Report Open CVE Reference
Plugin High Patched: Yes CVE-2026-28134
JetEngine <= 3.7.2 - Authenticated (Contributor+) Remote Code Execution

The JetEngine plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 3.7.2. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server.

Published
Feb 26, 2026
Patched Release
3.8.1.2
Affected Versions
Versions up to 3.7.2
Next Step
Update to 3.8.1.2 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-68495
JetEngine <= 3.8.0 - Reflected Cross-Site Scripting

The JetEngine plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 3.8.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages tha...

Published
Feb 11, 2026
Patched Release
3.8.1
Affected Versions
Versions up to 3.8.0
Next Step
Update to 3.8.1 or newer if supported.
Open Full Report Open CVE Reference
Plugin High Patched: Yes CVE-2025-67923
JetEngine <= 3.7.7 - Unauthenticated Stored Cross-Site Scripting

The JetEngine plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 3.7.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that w...

Published
Jan 05, 2026
Patched Release
3.7.8
Affected Versions
Versions up to 3.7.7
Next Step
Update to 3.7.8 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-69333
JetEngine <= 3.8.1.1 - Missing Authorization

The JetEngine plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 3.8.1.1. This makes it possible for authenticated attackers, with Contributor-level access and above, to perform an unauth...

Published
Dec 30, 2025
Patched Release
3.8.1.2
Affected Versions
Versions up to 3.8.1.1
Next Step
Update to 3.8.1.2 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-49938
JetEngine <= 3.7.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

The JetEngine plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 3.7.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inje...

Published
Sep 18, 2025
Patched Release
3.7.4
Affected Versions
Versions up to 3.7.3
Next Step
Update to 3.7.4 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-54688
JetEngine <= 3.7.1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

The JetEngine plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 3.7.1.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to in...

Published
Jul 30, 2025
Patched Release
3.7.2
Affected Versions
Versions up to 3.7.1.2
Next Step
Update to 3.7.2 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-53196
JetEngine <= 3.7.0 - Authenticated (Subscriber+) Information Exposure

The JetEngine plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.7.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to extract sensitive user or configuration data.

Published
Jul 16, 2025
Patched Release
3.7.1.1
Affected Versions
Versions up to 3.7.0
Next Step
Update to 3.7.1.1 or newer if supported.
Open Full Report Open CVE Reference
Plugin High Patched: Yes CVE-2025-53194
JetEngine <= 3.7.1 - Authenticated (Contributor+) Server-Side Template Injection to Remote Code Execution

The JetEngine plugin for WordPress is vulnerable to Remote Code Execution via SSTI in all versions up to, and including, 3.7.1. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server.

Published
Jul 13, 2025
Patched Release
3.7.1.1
Affected Versions
Versions up to 3.7.1
Next Step
Update to 3.7.1.1 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-53195
JetEngine <= 3.7.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

The JetEngine plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 3.7.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inje...

Published
Jun 27, 2025
Patched Release
3.7.1.1
Affected Versions
Versions up to 3.7.0
Next Step
Update to 3.7.1.1 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-26870
JetEngine <= 3.6.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

The JetEngine plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 3.6.4.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to in...

Published
Apr 11, 2025
Patched Release
3.6.5
Affected Versions
Versions up to 3.6.4.1
Next Step
Update to 3.6.5 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-0369
Jet Engine <= 3.6.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via list_tag Parameter

The JetEngine plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘list_tag’ parameter in all versions up to, and including, 3.6.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributo...

Published
Jan 17, 2025
Patched Release
3.6.3
Affected Versions
Versions up to 3.6.2
Next Step
Update to 3.6.3 or newer if supported.
Open Full Report Open CVE Reference