SQL Injection Vulnerability in JetEngine Plugin for WordPress
CVE-2026-4662

7.5HIGH

Key Information:

Vendor: WordPress
Status: Jetengine
Vendor: CVE Published:; 24 March 2026

What is CVE-2026-4662?

The JetEngine plugin for WordPress contains a vulnerability that allows SQL injection through the listing_load_more AJAX action. This issue arises from the failure to validate the filtered_query parameter against HMAC signatures, which permits attackers to insert malicious SQL queries into existing database queries. The SQL Query Builder's prepare_where_clause() method contributes to this security flaw by not adequately sanitizing the compare operator. Attackers can exploit this vulnerability without authentication, potentially leading to unauthorized access to sensitive information stored in the database, particularly when using a JetEngine Listing Grid with Load More functionality.

Affected Version(s)

JetEngine 0 <= 3.8.6.1

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/jet-engine/tag...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 24, 2026
Vulnerability Reserved
Mar 23, 2026

Credit

Phú

CVE-2026-4662 Data

JSON