CVE-2026-12360

The JetEngine plugin for WordPress is vulnerable to SQL injection in all versions up to and including 3.8.10.1. The listing load more AJAX handler accepts a filtered query parameter that is intentionally excluded from the HMAC query signature check to support front-end filter integration. However, meta query row values within filtered query are not sanitized before being merged into SQL construction. This makes it possible for unauthenticated attackers to perform time-based or boolean blind SQL injection by appending a malicious meta query value to a Load More AJAX request captured from any public Listing Grid page.