The JetEngine plugin for WordPress contains an SQL Injection vulnerability (CWE-89) identified as CVE-2026-4662. The issue stems from the `filtered_query` parameter being excluded from HMAC signature validation, permitting attacker-controlled input to bypass security checks. Furthermore, the `prepare_where_clause()` method in the SQL Query Builder fails to sanitize the `compare` operator before concatenation into SQL statements. This combination allows unauthenticated attackers to append malicious SQL code via the `listing_load_more` AJAX action, which can be exploited to extract sensitive information from the database if the affected feature (Listing Grid with Load More using SQL Query Builder) is enabled. The vulnerability has a CVSS 3.1 base score of 7.5, indicating high severity, with network attack vector, low attack complexity, no privileges or user interaction required, and impacts confidentiality but not integrity or availability.

An unauthenticated attacker can exploit this vulnerability to perform SQL Injection attacks via the `listing_load_more` AJAX action, potentially extracting sensitive information from the WordPress site's database. The vulnerability impacts confidentiality but does not affect integrity or availability. Exploitation requires the site to have a JetEngine Listing Grid with Load More enabled that uses a SQL Query Builder query. There are no known exploits in the wild at this time.

Patch status is not yet confirmed — no official patch or remediation guidance is currently provided by the vendor. Users should monitor the Crocoblock vendor advisories for updates and apply any official fixes once available. Until a patch is released, consider disabling the Listing Grid Load More feature or avoid using SQL Query Builder queries in JetEngine to reduce exposure. Avoid exposing the vulnerable AJAX action to untrusted users if possible.