What is the CVSS score of CVE-2026-12360?

CVE-2026-12360 has a CVSS 3.1 base score of 7.5 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. EPSS exploitation probability: 0.4%.

Which versions of JetEngine plugin are affected by CVE-2026-12360?

JetEngine WordPress plugin versions up to 3.8.10.1 contain an unauthenticated SQL injection vulnerability in the AJAX-based filter feature allowing unauthorized database extraction; no public exploit…

How to fix or mitigate CVE-2026-12360?

Within 24 hours: Disable or uninstall JetEngine plugin versions ≤3.8.10.1 across all WordPress installations, or block external access to the listing_load_more AJAX handler via firewall/WAF. Within 7 days: Review server logs and database access logs for evidence of exploitation attempts or suspicious queries from the vulnerable endpoint; assess scope of exposed data. Within 30 days: Monitor JetEngine releases for patch availability; evaluate alternative plugins or implement persistent WAF rules to sanitize meta_query parameters.

JetEngine plugin CVE-2026-12360

EUVD-2026-37552 HIGH

SQL Injection (CWE-89)

2026-06-17 Wordfence

WordPress SQLi Jetengine

7.5

CVSS 3.1 · Vendor: Wordfence

Severity by source

Vendor (Wordfence) PRIMARY

7.5 HIGH

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

vuln.today AI

7.5 HIGH

Unauthenticated network-reachable AJAX endpoint with no user interaction; blind SQLi yields high confidentiality via data exfiltration but no inherent write or DoS impact.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Lifecycle Timeline

Analysis Generated

Jun 17, 2026 - 06:20 vuln.today

CVE Published

Jun 17, 2026 - 04:32 cve.org

HIGH 7.5

DescriptionCVE.org

The JetEngine plugin for WordPress is vulnerable to SQL injection in all versions up to and including 3.8.10.1. The listing_load_more AJAX handler accepts a filtered_query parameter that is intentionally excluded from the HMAC query signature check to support front-end filter integration. However, meta_query row values within filtered_query are not sanitized before being merged into SQL construction. This makes it possible for unauthenticated attackers to perform time-based or boolean blind SQL injection by appending a malicious meta_query value to a Load More AJAX request captured from any public Listing Grid page.

AnalysisAI

Unauthenticated SQL injection in the JetEngine WordPress plugin versions up to 3.8.10.1 allows remote attackers to extract database contents via the listing_load_more AJAX handler. The filtered_query parameter is deliberately excluded from the HMAC signature check to enable front-end filter integration, but meta_query row values are merged into SQL without sanitization, enabling time-based or boolean blind injection. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Browse target site for public Listing Grid

Delivery

Capture listing_load_more AJAX request

Exploit

Inject malicious meta_query into filtered_query

Execution

Bypass HMAC via whitelisted parameter

Persist

Trigger blind SQL injection in WP_Meta_Query

Impact

Exfiltrate credentials via timing oracle

Access

Browse target site for public Listing Grid

Delivery

Capture listing_load_more AJAX request

Exploit

Inject malicious meta_query into filtered_query

Execution

Bypass HMAC via whitelisted parameter

Persist

Trigger blind SQL injection in WP_Meta_Query

Impact

Exfiltrate credentials via timing oracle

Vulnerability AssessmentAI

Exploitation	Target site must run the JetEngine plugin at version 3.8.10.1 or earlier with at least one publicly reachable page containing a Listing Grid that exposes the listing_load_more AJAX action; no authentication, user interaction, or non-default configuration is required because the filtered_query parameter is intentionally whitelisted out of the HMAC signature check to support front-end filters. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (7.5 High) is consistent with the description - exploitation is over the network, against a default AJAX endpoint on any public Listing Grid page, requires no authentication or user interaction, and yields confidentiality impact via blind SQLi without directly affecting integrity or availability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An unauthenticated attacker browses any public page hosting a JetEngine Listing Grid, captures a legitimate Load More AJAX request to admin-ajax.php with action=listing_load_more, and appends a crafted meta_query row containing a time-based payload (e.g., a value that triggers SLEEP() via key manipulation) into filtered_query. The HMAC check passes because filtered_query is excluded from the signature, and the server executes the injected SQL fragment, allowing the attacker to enumerate wp_users credentials, secret_keys, or arbitrary table contents one bit at a time through response-timing or boolean inference.
Remediation	Upstream fix available (PR/commit); released patched version not independently confirmed from the provided data - administrators should consult the Crocoblock changelog at https://crocoblock.com/changelog/?plugin=jet-engine and the Wordfence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/fd839b20-69d1-4cad-80fc-3e7b9940fd30?source=cve to identify the exact fixed version above 3.8.10.1 and upgrade immediately. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Disable or uninstall JetEngine plugin versions ≤3.8.10.1 across all WordPress installations, or block external access to the listing_load_more AJAX handler via firewall/WAF. …

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-49075 CRITICAL Act Now

9.8 Jun 17

PHP Object Injection in the JetEngine WordPress plugin (versions through 3.8.9.1) allows authenticated users with the Co

CVE-2026-52706 CRITICAL Act Now

9.8 Jun 17

Unauthenticated PHP Object Injection in Crocoblock JetEngine WordPress plugin versions 3.8.10 and earlier allows remote

CVE-2026-49076 CRITICAL Act Now

9.3 Jun 17

Unauthenticated SQL injection in the JetEngine WordPress plugin (versions up to and including 3.8.9.1) allows remote att

CVE-2026-49084 CRITICAL Act Now

9.3 Jun 17

Unauthenticated SQL injection in the JetEngine WordPress plugin versions prior to 3.8.9.1 allows remote attackers to inj

CVE-2026-54187 CRITICAL Act Now

9.3 Jun 17

Unauthenticated SQL injection in the JetEngine WordPress plugin versions 3.8.10.1 and earlier allows remote attackers to

CVE-2026-12360 vulnerability details – vuln.today

Back

JetEngine plugin CVE-2026-12360

Severity by source

CVSS VectorVendor: Wordfence

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

More from same product – last 7 days

Share

External POC / Exploit Code