CVE-2026-12360
published 2026-06-17CVE-2026-12360: JetEngine <= 3.8.10.1 - Unauthenticated SQL Injection via Listing Grid Load More AJAX Endpoint The JetEngine plugin for WordPress is vulnerable to SQL…
high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
0.32%
23.9th percentile
JetEngine <= 3.8.10.1 - Unauthenticated SQL Injection via Listing Grid Load More AJAX Endpoint
The JetEngine plugin for WordPress is vulnerable to SQL injection in all versions up to and including 3.8.10.1. The listing_load_more AJAX handler accepts a filtered_query parameter that is intentionally excluded from the HMAC query signature check to support front-end filter integration. However, meta_query row values within filtered_query are not sanitized before being merged into SQL construction. This makes it possible for unauthenticated attackers to perform time-based or boolean blind SQL injection by appending a malicious meta_query value to a Load More AJAX request captured from any public Listing Grid page.
Timeline: 2026-06-16: Vendor Notified; 2026-06-16: Disclosed
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| crocoblock | jetengine | <= 3.8.10.1 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CVEList
JetEngine <= 3.8.10.1 - Unauthenticated SQL Injection via Listing Grid Load More AJAX Endpoint
cvelistv5·2026-06-17·CVSS 7.5
CVE-2026-12360 [HIGH] CWE-89 JetEngine <= 3.8.10.1 - Unauthenticated SQL Injection via Listing Grid Load More AJAX Endpoint
JetEngine <= 3.8.10.1 - Unauthenticated SQL Injection via Listing Grid Load More AJAX Endpoint
The JetEngine plugin for WordPress is vulnerable to SQL injection in all versions up to and including 3.8.10.1. The listing_load_more AJAX handler accepts a filtered_query parameter that is intentionally excluded from the HMAC query signature check to support front-end filter integration. However, meta_query row values within filtered_query are not sanitized before being merged into SQL construction. This makes it possible for unauthenticated attackers to perform time-based or boolean blind SQL injection by appending a malicious meta_query value to a Load More AJAX request captured from any public Listing Grid page.
Timeline: 2026-06-16: Vendor Notified; 2026-06-16: Disclosed
GHSA
The JetEngine plugin for WordPress is vulnerable to SQL injection in all versions up to and including 3.8.10.1.
ghsa_unreviewed·2026-06-17
CVE-2026-12360 [HIGH] CWE-89 The JetEngine plugin for WordPress is vulnerable to SQL injection in all versions up to and including 3.8.10.1.
The JetEngine plugin for WordPress is vulnerable to SQL injection in all versions up to and including 3.8.10.1. The listing_load_more AJAX handler accepts a filtered_query parameter that is intentionally excluded from the HMAC query signature check to support front-end filter integration. However, meta_query row values within filtered_query are not sanitized before being merged into SQL construction. This makes it possible for unauthenticated attackers to perform time-based or boolean blind SQL injection by appending a malicious meta_query value to a Load More AJAX request captured from any public Listing Grid page.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-17
Published