How is CVE-2026-12360 exploited?

Network reachability (required): The attacker must reach the WordPress site over the network; the vulnerable AJAX endpoint is publicly exposed on any site with a Listing Grid page. Authentication (not-required): No account or credentials of any kind are needed; the listing_load_more AJAX handler accepts requests from unauthenticated visitors. Victim interaction (not-required): The attacker sends a crafted HTTP request directly to the endpoint; no user action or social engineering is required. Attack complexity (info): Exploitation is reliable and condition-free; the attacker only needs to capture a normal Load More AJAX request from any public Listing Grid page and append a malicious meta_query value.

What is the impact of CVE-2026-12360?

Reads any row in the WordPress database, including wp_users password hashes, email addresses, and session tokens. Extracts stored plugin configuration, API keys, and private post content by iterating database tables through blind injection queries. Enables credential-stuffing attacks by harvesting hashed passwords, which can be cracked offline and reused across other services. Exposes any customer, order, or custom post type data stored in the database by a site using JetEngine-powered listing grids.

Back to search

HIGHCVE-2026-12360Published 2026-06-17Modified 2026-06-17CNA Wordfence

CVE-2026-12360: JetEngine <= 3.8.10.1 - Unauthenticated SQL Injection via Listing Grid Load More AJAX Endpoint

Q: What is CVE-2026-12360?

An unauthenticated SQL injection vulnerability exists in the JetEngine plugin for WordPress (versions up to and including 3.8.10.1). The flaw is reachable over the network without any login by sending a crafted AJAX request to the listing_load_more endpoint; meta_query row values inside the filtered_query parameter are not sanitized before being included in SQL construction, allowing time-based or boolean blind injection. Successful exploitation lets an attacker read arbitrary data from the WordPress database, including user credentials, session tokens, and any other stored records. No fix version has been published; HarborGuard tracks the upstream advisory and will make a patched-image rebuild available as soon as a fix is released.

Q: Is CVE-2026-12360 patched?

Because no upstream fix has been published for CVE-2026-12360, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment Crocoblock ships a remediated release. In the interim, customers with compensating-control policies can use HarborGuard's network-policy suggestions to restrict public AJAX endpoint exposure at the container or ingress layer.

The JetEngine plugin for WordPress is vulnerable to SQL injection in all versions up to and including 3.8.10.1. The listing_load_more AJAX handler accepts a filtered_query parameter that is intentionally excluded from the HMAC query signature check to support front-end filter integration. However, meta_query row values within filtered_query are not sanitized before being merged into SQL construction. This makes it possible for unauthenticated attackers to perform time-based or boolean blind SQL injection by appending a malicious meta_query value to a Load More AJAX request captured from any public Listing Grid page.

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An unauthenticated SQL injection vulnerability exists in the JetEngine plugin for WordPress (versions up to and including 3.8.10.1). The flaw is reachable over the network without any login by sending a crafted AJAX request to the listing_load_more endpoint; meta_query row values inside the filtered_query parameter are not sanitized before being included in SQL construction, allowing time-based or boolean blind injection. Successful exploitation lets an attacker read arbitrary data from the WordPress database, including user credentials, session tokens, and any other stored records. No fix version has been published; HarborGuard tracks the upstream advisory and will make a patched-image rebuild available as soon as a fix is released.

HarborGuard Coverage

Detection

Detection of CVE-2026-12360 is available across every HarborGuard environment: the CVE is ingested from upstream feeds (including Wordfence and NVD) within minutes of publication and matched against customer images, including custom-built WordPress images that bundle JetEngine. Any image found running JetEngine at or below version 3.8.10.1 is flagged automatically.

Available

Triage

HarborGuard scores this finding at CVSS 7.5 HIGH and surfaces it with that severity label in each customer's dashboard. Per-environment compliance policy weighting is applied, and the finding is routed to the appropriate team inbox based on each org's configured triage rules.

Available

Patch

Because no upstream fix has been published for CVE-2026-12360, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment Crocoblock ships a remediated release. In the interim, customers with compensating-control policies can use HarborGuard's network-policy suggestions to restrict public AJAX endpoint exposure at the container or ingress layer.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the WordPress site over the network; the vulnerable AJAX endpoint is publicly exposed on any site with a Listing Grid page.
AuthenticationNot required
No account or credentials of any kind are needed; the listing_load_more AJAX handler accepts requests from unauthenticated visitors.
Victim interactionNot required
The attacker sends a crafted HTTP request directly to the endpoint; no user action or social engineering is required.
Attack complexityDetail
Exploitation is reliable and condition-free; the attacker only needs to capture a normal Load More AJAX request from any public Listing Grid page and append a malicious meta_query value.

Blast Radius

Reads any row in the WordPress database, including wp_users password hashes, email addresses, and session tokens.
Extracts stored plugin configuration, API keys, and private post content by iterating database tables through blind injection queries.
Enables credential-stuffing attacks by harvesting hashed passwords, which can be cracked offline and reused across other services.
Exposes any customer, order, or custom post type data stored in the database by a site using JetEngine-powered listing grids.

How HarborGuard Handles This

Available on HarborGuard: detection against CVE-2026-12360 is active for any customer image containing JetEngine at or below version 3.8.10.1, with findings scored at CVSS 7.5 HIGH and routed per each org's compliance policy. Because Crocoblock has not yet published a fix, there is no patched-image rebuild to offer at this time; HarborGuard re-evaluates the advisory on every ingest cycle and will generate a rebuilt image and, for customers with auto-remediation enabled, open a PR against affected workloads the moment an upstream patch is available. While waiting for a fix, HarborGuard surfaces compensating-control recommendations: applying a WordPress application firewall rule to block requests with suspicious meta_query payloads, restricting public access to wp-admin/admin-ajax.php at the ingress or network-policy layer where operationally feasible, and using feature-flag gating to disable the Load More AJAX handler on Listing Grid pages until a patched version ships.

See how HarborGuard automates this

Affected packages

Crocoblock / JetEngine
≤ 3.8.10.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References

Metrics

Get notified