JetEngine: Nine Vulnerabilities Disclosed Including Four Unauthenticated SQLi Flaws

Key findings

• Nine CVEs disclosed on June 17, 2026 for the JetEngine WordPress plugin
• Four unauthenticated SQL injection flaws, including CVE-2026-12360 via the listing_load_more AJAX handler
• Three unauthenticated stored XSS vulnerabilities across multiple version ranges
• Two PHP object injection bugs, one exploitable without authentication
• All affected versions are 3.8.10.1 or earlier; patched in 3.8.10.2 and earlier point releases
• The batch was coordinated by Wordfence and Patchstack researchers

On June 17, 2026, a batch of nine security vulnerabilities was disclosed for the JetEngine plugin for WordPress, a popular dynamic content and listing builder used by tens of thousands of sites. The disclosure, coordinated by Wordfence and Patchstack, spans multiple bug classes — SQL injection, cross-site scripting (XSS), and PHP object injection — with the most severe flaws rated critical and exploitable without authentication. The batch underscores the risk of complex plugins that expose AJAX endpoints and user-supplied data to unauthenticated visitors.

SQL Injection (4 CVEs)

The largest group in the batch is SQL injection, with four distinct CVEs affecting different version ranges and attack surfaces. CVE-2026-54187 and CVE-2026-12360 both impact versions up to 3.8.10.1. The latter is particularly notable: the listing_load_more AJAX handler accepts a filtered_query parameter that is intentionally excluded from the HMAC query signature check to support front-end filter integration, allowing an unauthenticated attacker to inject arbitrary SQL. CVE-2026-49084 affects versions prior to 3.8.9.1, while CVE-2026-49076 affects versions up to 3.8.9.1. All four SQLi CVEs are rated critical and require no authentication to exploit.

Cross-Site Scripting (3 CVEs)

Three unauthenticated stored XSS vulnerabilities were disclosed: CVE-2026-54189, CVE-2026-54188, and CVE-2026-49074. The first two affect versions up to 3.8.10, while the third affects versions up to 3.8.9.1. These flaws allow an attacker to inject arbitrary JavaScript into pages rendered by the plugin, potentially leading to session hijacking, credential theft, or defacement. Because no authentication is required, any visitor to a vulnerable site can trigger the exploit.

PHP Object Injection (2 CVEs)

Two PHP object injection vulnerabilities were disclosed: CVE-2026-52706 (unauthenticated, affecting versions up to 3.8.10) and CVE-2026-49075 (requires contributor-level access, affecting versions up to 3.8.9.1). PHP object injection can lead to arbitrary code execution if a gadget chain is available in the WordPress environment, making these flaws especially dangerous despite the higher privilege requirement for the latter.

Patch Status and Mitigation

The JetEngine development team has released patched versions addressing all nine CVEs. Users on version 3.8.10.1 or earlier should update to the latest available release immediately. The most critical SQLi flaws (CVE-2026-54187, CVE-2026-12360) were fixed in version 3.8.10.2, while the earlier SQLi and XSS bugs were resolved in versions 3.8.9.2 and 3.8.10.1. Site administrators are advised to verify their plugin version and apply the update without delay.

Why This Batch Matters

JetEngine is a high-complexity plugin that extends WordPress with custom post types, dynamic listings, and AJAX-driven front-end filtering — exactly the kind of feature surface that invites deep security review. The simultaneous disclosure of nine vulnerabilities, including four unauthenticated SQLi flaws and two PHP object injection bugs, signals that attackers have multiple entry points to compromise sites running unpatched versions. Users should treat this batch as a priority update and monitor for follow-up advisories from the JetEngine vendor and the disclosing researchers.