CVE-2026-4662

Name of the Vulnerable Software and Affected Versions JetEngine versions prior to 3.8.6.1

Description The JetEngine plugin for WordPress is susceptible to SQL Injection through the listing load more AJAX action. This is because the filtered query parameter lacks HMAC signature validation, allowing attackers to bypass security measures. Additionally, the prepare where clause() method within the SQL Query Builder does not sanitize the compare operator before incorporating it into SQL statements. This allows unauthenticated attackers to inject additional SQL queries into existing queries, potentially extracting sensitive database information. This is possible when a JetEngine Listing Grid with Load More enabled utilizes a SQL Query Builder query.

Recommendations Update JetEngine to version 3.8.6.1 or later.