CVE Catalog

CVE-2026-12360

HighCVSS 7.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.41%

33th percentile — higher than 33% of all known CVEs

Summary

The JetEngine plugin for WordPress is vulnerable to SQL injection in all versions up to and including 3.8.10.1. The listing_load_more AJAX handler accepts a filtered_query parameter that is not verified in the HMAC signature, allowing for SQL injection.

Risk Assessment

Unauthenticated attackers can exploit this vulnerability to perform SQL injection attacks, potentially leading to data exposure or database compromise.

Recommendation

It is recommended to update the JetEngine plugin to the latest version to mitigate this vulnerability. Additionally, conducting a security audit of the application to identify other potential vulnerabilities is advisable.

Original NVD description (English source)

The JetEngine plugin for WordPress is vulnerable to SQL injection in all versions up to and including 3.8.10.1. The listing_load_more AJAX handler accepts a filtered_query parameter that is intentionally excluded from the HMAC query signature check to support front-end filter integration. However, meta_query row values within filtered_query are not sanitized before being merged into SQL construction. This makes it possible for unauthenticated attackers to perform time-based or boolean blind SQL injection by appending a malicious meta_query value to a Load More AJAX request captured from any public Listing Grid page.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS