Description
The JetEngine plugin for WordPress is vulnerable to SQL injection in all versions up to and including 3.8.10.1. The listing_load_more AJAX handler accepts a filtered_query parameter that is intentionally excluded from the HMAC query signature check to support front-end filter integration. However, meta_query row values within filtered_query are not sanitized before being merged into SQL construction. This makes it possible for unauthenticated attackers to perform time-based or boolean blind SQL injection by appending a malicious meta_query value to a Load More AJAX request captured from any public Listing Grid page.
Published: 2026-06-17
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The JetEngine WordPress plugin contains an injection flaw in the listing_load_more AJAX handler. The filtered_query parameter, used to deliver front‑end filter selections, bypasses the HMAC signature check and its meta_query values are not sanitized. An unauthenticated user can supply a crafted meta_query payload that is directly merged into an SQL statement, enabling time‑based or boolean blind SQL injection. This allows the attacker to retrieve sensitive data, exfiltrate database contents, or potentially alter data, compromising data confidentiality and integrity. The flaw is a classic SQL injection weakness, classified as CWE‑89.

Affected Systems

All installations of Crocoblock JetEngine version 3.8.10.1 or earlier are affected. The vulnerability applies to WordPress sites that have the JetEngine plugin enabled and expose public Listing Grid pages.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity impact. The EPSS score is less than 1 %, implying a low likelihood of observed exploitation at this time, and the vulnerability is not listed in CISA’s KEV catalog. However, the unauthenticated nature and web‑surface exposure (any public Listing Grid page) mean that the attack path is straightforward for an automated scanner or attacker with knowledge of the site structure. If exploited, the attacker can read arbitrary database tables, potentially leading to data loss or further compromise.

Generated by OpenCVE AI on June 17, 2026 at 17:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest JetEngine plugin (at least version 3.9.0) as released by Crocoblock to remove the vulnerable code path.
  • If upgrading is delayed or impossible, restrict access to the listing_load_more AJAX endpoint by configuring a Web Application Firewall to block requests that contain untrusted meta_query values or require user authentication for that endpoint.
  • Implement a WAF rule set that filters out known SQL injection payloads, and optionally enable the Wordfence threat intelligence policy referenced in the advisory to block attempted exploitation.

Generated by OpenCVE AI on June 17, 2026 at 17:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 17 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 17 Jun 2026 07:45:00 +0000

Type Values Removed Values Added
First Time appeared Crocoblock
Crocoblock jetengine
Wordpress
Wordpress wordpress
Vendors & Products Crocoblock
Crocoblock jetengine
Wordpress
Wordpress wordpress

Wed, 17 Jun 2026 06:00:00 +0000

Type Values Removed Values Added
Description The JetEngine plugin for WordPress is vulnerable to SQL injection in all versions up to and including 3.8.10.1. The listing_load_more AJAX handler accepts a filtered_query parameter that is intentionally excluded from the HMAC query signature check to support front-end filter integration. However, meta_query row values within filtered_query are not sanitized before being merged into SQL construction. This makes it possible for unauthenticated attackers to perform time-based or boolean blind SQL injection by appending a malicious meta_query value to a Load More AJAX request captured from any public Listing Grid page.
Title JetEngine <= 3.8.10.1 - Unauthenticated SQL Injection via Listing Grid Load More AJAX Endpoint
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Crocoblock Jetengine
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-17T10:38:14.097Z

Reserved: 2026-06-16T01:28:32.414Z

Link: CVE-2026-12360

cve-icon Vulnrichment

Updated: 2026-06-17T10:38:08.786Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-17T07:30:04Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')