Description
The JetEngine plugin for WordPress is vulnerable to SQL Injection via the `listing_load_more` AJAX action in all versions up to, and including, 3.8.6.1. This is due to the `filtered_query` parameter being excluded from the HMAC signature validation (allowing attacker-controlled input to bypass security checks) combined with the `prepare_where_clause()` method in the SQL Query Builder not sanitizing the `compare` operator before concatenating it into SQL statements. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database, provided the site has a JetEngine Listing Grid with Load More enabled that uses a SQL Query Builder query.
Published: 2026-03-24
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthenticated SQL Injection allowing sensitive data extraction
Action: Immediate Patch
AI Analysis

Impact

The vulnerability exists in the JetEngine plugin for WordPress, affecting all releases up to and including 3.8.6.1. It is triggered through the listing_load_more AJAX action when the filtered_query parameter is not included in the HMAC signature validation. Because the prepare_where_clause() method fails to sanitize the compare operator, attackers can inject arbitrary SQL statements. The result is unauthenticated extraction of database contents, exposing sensitive data owned by the WordPress site.

Affected Systems

WordPress sites that have the Crocoblock JetEngine plugin installed with a Listing Grid having the Load More feature enabled. Any version of JetEngine 3.8.6.1 or earlier is vulnerable, regardless of the WordPress core version.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity, and while an EPSS score is not reported, the lack of authentication requirement makes exploitation straightforward for attackers who can reach the affected URL. The vulnerability is not listed in the CISA KEV catalog, but the discovered exploit opportunities and the widespread usage of JetEngine suggest a significant risk profile.

Generated by OpenCVE AI on March 24, 2026 at 06:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade JetEngine to the latest version (3.8.6.2 or newer) to ensure the filtered_query parameter is protected by the HMAC signature.
  • If an upgrade is not immediately possible, disable the Listing Grid Load More feature or temporarily deactivate the JetEngine plugin on affected sites.
  • Restrict access to the listing_load_more AJAX endpoint by implementing IP whitelisting or by requiring authentication.
  • Audit the database for anomalous SQL activity and apply web application firewall rules to block suspicious query patterns.

Generated by OpenCVE AI on March 24, 2026 at 06:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 24 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 24 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Crocoblock
Crocoblock jetengine
Wordpress
Wordpress wordpress
Vendors & Products Crocoblock
Crocoblock jetengine
Wordpress
Wordpress wordpress

Tue, 24 Mar 2026 05:15:00 +0000

Type Values Removed Values Added
Description The JetEngine plugin for WordPress is vulnerable to SQL Injection via the `listing_load_more` AJAX action in all versions up to, and including, 3.8.6.1. This is due to the `filtered_query` parameter being excluded from the HMAC signature validation (allowing attacker-controlled input to bypass security checks) combined with the `prepare_where_clause()` method in the SQL Query Builder not sanitizing the `compare` operator before concatenating it into SQL statements. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database, provided the site has a JetEngine Listing Grid with Load More enabled that uses a SQL Query Builder query.
Title JetEngine <= 3.8.6.1 - Unauthenticated SQL Injection via Listing Grid 'filtered_query' Parameter
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Crocoblock Jetengine
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:32:21.875Z

Reserved: 2026-03-23T16:17:21.389Z

Link: CVE-2026-4662

cve-icon Vulnrichment

Updated: 2026-03-24T13:32:39.000Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-24T05:16:25.600

Modified: 2026-03-24T15:53:48.067

Link: CVE-2026-4662

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T20:40:05Z

Weaknesses