CVE-2026-4662
Description
The JetEngine plugin for WordPress is vulnerable to SQL Injection via the listing_load_more AJAX action in all versions up to, and including, 3.8.6.1. This is due to the filtered_query parameter being excluded from the HMAC signature validation (allowing attacker-controlled input to bypass security checks) combined with the prepare_where_clause() method in the SQL Query Builder not sanitizing the compare operator before concatenating it into SQL statements. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database, provided the site has a JetEngine Listing Grid with Load More enabled that uses a SQL Query Builder query.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Unauthenticated SQL injection in JetEngine WordPress plugin (≤3.8.6.1) via `listing_load_more` AJAX action due to missing HMAC validation and unsanitized `compare` operator.
The JetEngine plugin for WordPress is vulnerable to SQL Injection in all versions up to and including 3.8.6.1. The flaw resides in the listing_load_more AJAX action, where the filtered_query parameter is excluded from HMAC signature validation, allowing attacker-controlled input to bypass security checks. Additionally, the prepare_where_clause() method in the SQL Query Builder fails to sanitize the compare operator before concatenating it into SQL statements [1].
Exploitation requires the site to have a JetEngine Listing Grid with Load More enabled that uses a SQL Query Builder query. An unauthenticated attacker can send a crafted AJAX request to the listing_load_more action, injecting arbitrary SQL via the compare operator. No authentication is needed, and the attack can be performed remotely over HTTP [1].
Successful exploitation allows an unauthenticated attacker to append additional SQL queries to existing ones, potentially extracting sensitive information from the WordPress database, such as user credentials or other confidential data. The CVSS v3 base score is 7.5 (High), reflecting the ease of exploitation and potential impact [1].
Crocoblock has addressed this vulnerability in JetEngine version 3.8.6.2, as noted in their changelog. Users are strongly advised to update to the latest version immediately. No workarounds have been published, and the vulnerability is not known to be listed in CISA's Known Exploited Vulnerabilities catalog at the time of publication [1].
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- crocoblock.com/changelog/nvd
- plugins.trac.wordpress.org/browser/jet-engine/tags/3.8.6.1/includes/components/listings/ajax-handlers.phpnvd
- plugins.trac.wordpress.org/browser/jet-engine/tags/3.8.6.1/includes/components/query-builder/listings/query.phpnvd
- plugins.trac.wordpress.org/browser/jet-engine/tags/3.8.6.1/includes/components/query-builder/queries/sql.phpnvd
- plugins.trac.wordpress.org/browser/jet-engine/tags/3.8.6.1/includes/components/query-builder/queries/sql.phpnvd
- www.wordfence.com/threat-intel/vulnerabilities/id/f10cf49b-1b78-43c1-b0d1-c1dbb74d5696nvd
News mentions
3- Wordfence Intelligence Weekly WordPress Vulnerability Report (April 27, 2026 to May 3, 2026)Wordfence Blog · May 7, 2026
- Wordfence Intelligence Weekly WordPress Vulnerability Report (April 13, 2026 to April 19, 2026)Wordfence Blog · Apr 23, 2026
- Wordfence Intelligence Weekly WordPress Vulnerability Report (March 23, 2026 to March 29, 2026)Wordfence Blog · Apr 2, 2026