{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4662", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-03-23T16:17:21.389Z", "datePublished": "2026-03-24T04:27:50.452Z", "dateUpdated": "2026-04-08T17:32:21.875Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:32:21.875Z"}, "affected": [{"vendor": "Crocoblock", "product": "JetEngine", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.8.6.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The JetEngine plugin for WordPress is vulnerable to SQL Injection via the `listing_load_more` AJAX action in all versions up to, and including, 3.8.6.1. This is due to the `filtered_query` parameter being excluded from the HMAC signature validation (allowing attacker-controlled input to bypass security checks) combined with the `prepare_where_clause()` method in the SQL Query Builder not sanitizing the `compare` operator before concatenating it into SQL statements. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database, provided the site has a JetEngine Listing Grid with Load More enabled that uses a SQL Query Builder query."}], "title": "JetEngine <= 3.8.6.1 - Unauthenticated SQL Injection via Listing Grid 'filtered_query' Parameter", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f10cf49b-1b78-43c1-b0d1-c1dbb74d5696?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/jet-engine/tags/3.8.6.1/includes/components/query-builder/queries/sql.php#L1038"}, {"url": "https://plugins.trac.wordpress.org/browser/jet-engine/tags/3.8.6.1/includes/components/listings/ajax-handlers.php#L251"}, {"url": "https://plugins.trac.wordpress.org/browser/jet-engine/tags/3.8.6.1/includes/components/query-builder/listings/query.php#L125"}, {"url": "https://plugins.trac.wordpress.org/browser/jet-engine/tags/3.8.6.1/includes/components/query-builder/queries/sql.php#L962"}, {"url": "https://crocoblock.com/changelog/?plugin=jet-engine"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "cweId": "CWE-89", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Ph\u00fa"}], "timeline": [{"time": "2026-03-17T18:07:33.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-03-23T16:17:43.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-24T13:32:25.889885Z", "id": "CVE-2026-4662", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T13:32:42.744Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-4662", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-24T13:32:25.889885Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T13:32:39.000Z"}}], "cna": {"title": "JetEngine <= 3.8.6.1 - Unauthenticated SQL Injection via Listing Grid 'filtered_query' Parameter", "credits": [{"lang": "en", "type": "finder", "value": "Ph\u00fa"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}}], "affected": [{"vendor": "Crocoblock", "product": "JetEngine", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "3.8.6.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-03-17T18:07:33.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-03-23T16:17:43.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f10cf49b-1b78-43c1-b0d1-c1dbb74d5696?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/jet-engine/tags/3.8.6.1/includes/components/query-builder/queries/sql.php#L1038"}, {"url": "https://plugins.trac.wordpress.org/browser/jet-engine/tags/3.8.6.1/includes/components/listings/ajax-handlers.php#L251"}, {"url": "https://plugins.trac.wordpress.org/browser/jet-engine/tags/3.8.6.1/includes/components/query-builder/listings/query.php#L125"}, {"url": "https://plugins.trac.wordpress.org/browser/jet-engine/tags/3.8.6.1/includes/components/query-builder/queries/sql.php#L962"}, {"url": "https://crocoblock.com/changelog/?plugin=jet-engine"}], "descriptions": [{"lang": "en", "value": "The JetEngine plugin for WordPress is vulnerable to SQL Injection via the `listing_load_more` AJAX action in all versions up to, and including, 3.8.6.1. This is due to the `filtered_query` parameter being excluded from the HMAC signature validation (allowing attacker-controlled input to bypass security checks) combined with the `prepare_where_clause()` method in the SQL Query Builder not sanitizing the `compare` operator before concatenating it into SQL statements. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database, provided the site has a JetEngine Listing Grid with Load More enabled that uses a SQL Query Builder query."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:32:21.875Z"}}}, "cveMetadata": {"cveId": "CVE-2026-4662", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:32:21.875Z", "dateReserved": "2026-03-23T16:17:21.389Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-03-24T04:27:50.452Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The JetEngine plugin for WordPress is vulnerable to SQL Injection via the `listing_load_more` AJAX action in all versions up to, and including, 3.8.6.1. This is due to the `filtered_query` parameter being excluded from the HMAC signature validation (allowing attacker-controlled input to bypass security checks) combined with the `prepare_where_clause()` method in the SQL Query Builder not sanitizing the `compare` operator before concatenating it into SQL statements. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database, provided the site has a JetEngine Listing Grid with Load More enabled that uses a SQL Query Builder query."}, {"lang": "es", "value": "El plugin JetEngine para WordPress es vulnerable a inyecci\u00f3n SQL a trav\u00e9s de la acci\u00f3n AJAX 'listing_load_more' en todas las versiones hasta la 3.8.6.1, inclusive. Esto se debe a que el par\u00e1metro 'filtered_query' fue excluido de la validaci\u00f3n de firma HMAC (lo que permite que la entrada controlada por el atacante omita las comprobaciones de seguridad) combinado con que el m\u00e9todo 'prepare_where_clause()' en el Constructor de Consultas SQL no sanitiza el operador 'compare' antes de concatenarlo en sentencias SQL. Esto hace posible que atacantes no autenticados a\u00f1adan consultas SQL adicionales a consultas ya existentes que pueden usarse para extraer informaci\u00f3n sensible de la base de datos, siempre que el sitio tenga una cuadr\u00edcula de listado de JetEngine con Cargar m\u00e1s habilitado que utilice una consulta del Constructor de Consultas SQL."}], "id": "CVE-2026-4662", "lastModified": "2026-04-24T16:32:53.997", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-03-24T05:16:25.600", "references": [{"source": "security@wordfence.com", "url": "https://crocoblock.com/changelog/?plugin=jet-engine"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/jet-engine/tags/3.8.6.1/includes/components/listings/ajax-handlers.php#L251"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/jet-engine/tags/3.8.6.1/includes/components/query-builder/listings/query.php#L125"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/jet-engine/tags/3.8.6.1/includes/components/query-builder/queries/sql.php#L1038"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/jet-engine/tags/3.8.6.1/includes/components/query-builder/queries/sql.php#L962"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f10cf49b-1b78-43c1-b0d1-c1dbb74d5696?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,3.8.6.1]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "JetEngine", "source": "cna", "vendor": "Crocoblock"}, "product": "jetengine", "vendor": "crocoblock"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-24T06:20:35.969434+00:00", "value": {"mitigation_remediation": ["Upgrade JetEngine to the latest version (3.8.6.2 or newer) to ensure the filtered_query parameter is protected by the HMAC signature.", "If an upgrade is not immediately possible, disable the Listing Grid Load More feature or temporarily deactivate the JetEngine plugin on affected sites.", "Restrict access to the listing_load_more AJAX endpoint by implementing IP whitelisting or by requiring authentication.", "Audit the database for anomalous SQL activity and apply web application firewall rules to block suspicious query patterns."], "summary": {"action": "Immediate Patch", "impact": "Unauthenticated SQL Injection allowing sensitive data extraction"}, "threat_synthesis": {"affected_systems": "WordPress sites that have the Crocoblock JetEngine plugin installed with a Listing Grid having the Load More feature enabled. Any version of JetEngine 3.8.6.1 or earlier is vulnerable, regardless of the WordPress core version.", "description_and_impact": "The vulnerability exists in the JetEngine plugin for WordPress, affecting all releases up to and including 3.8.6.1. It is triggered through the listing_load_more AJAX action when the filtered_query parameter is not included in the HMAC signature validation. Because the prepare_where_clause() method fails to sanitize the compare operator, attackers can inject arbitrary SQL statements. The result is unauthenticated extraction of database contents, exposing sensitive data owned by the WordPress site.", "risk_and_exploitability": "The CVSS score of 7.5 indicates a high severity, and while an EPSS score is not reported, the lack of authentication requirement makes exploitation straightforward for attackers who can reach the affected URL. The vulnerability is not listed in the CISA KEV catalog, but the discovered exploit opportunities and the widespread usage of JetEngine suggest a significant risk profile."}}}}, "created": "2026-03-24T10:29:00.986235+00:00", "updated": "2026-03-25T20:40:05.773573+00:00", "vendors": ["crocoblock", "crocoblock$PRODUCT$jetengine", "wordpress", "wordpress$PRODUCT$wordpress"]}