CVE-2026-12360
HighCVSS 7.5Exploitation Probability (EPSS)
Low risk33th percentile — higher than 33% of all known CVEs
Summary
The JetEngine plugin for WordPress is vulnerable to SQL injection in all versions up to and including 3.8.10.1. The listing_load_more AJAX handler accepts a filtered_query parameter that is not verified in the HMAC signature, allowing for SQL injection.
Risk Assessment
Unauthenticated attackers can exploit this vulnerability to perform SQL injection attacks, potentially leading to data exposure or database compromise.
Recommendation
It is recommended to update the JetEngine plugin to the latest version to mitigate this vulnerability. Additionally, conducting a security audit of the application to identify other potential vulnerabilities is advisable.
Original NVD description (English source)
The JetEngine plugin for WordPress is vulnerable to SQL injection in all versions up to and including 3.8.10.1. The listing_load_more AJAX handler accepts a filtered_query parameter that is intentionally excluded from the HMAC query signature check to support front-end filter integration. However, meta_query row values within filtered_query are not sanitized before being merged into SQL construction. This makes it possible for unauthenticated attackers to perform time-based or boolean blind SQL injection by appending a malicious meta_query value to a Load More AJAX request captured from any public Listing Grid page.

