Skip to main content

JetSmartFilters CVE-2026-48875

| EUVDEUVD-2026-37611 CRITICAL
SQL Injection (CWE-89)
2026-06-17 Patchstack
9.3
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
9.3 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
vuln.today AI
9.3 CRITICAL

Unauthenticated network SQLi (AV:N/AC:L/PR:N/UI:N); SQLi reaches the shared WP database so S:C with C:H; SQLi typically allows some write so I:L, no clear availability impact.

3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 17, 2026 - 12:09 vuln.today

DescriptionCVE.org

Unauthenticated SQL Injection in JetSmartFilters <= 3.8.1 versions.

AnalysisAI

Unauthenticated SQL injection in the JetSmartFilters WordPress plugin (versions ≤ 3.8.1) allows remote attackers to inject arbitrary SQL queries against the underlying WordPress database without any authentication or user interaction. The CVSS 9.3 score reflects a scope-changing flaw with high confidentiality impact and low availability impact, and no public exploit has been identified at time of analysis. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify WordPress site running JetSmartFilters ≤3.8.1
Delivery
Send crafted request to vulnerable filter endpoint
Exploit
Inject UNION-based SQL payload
Execution
Exfiltrate wp_users password hashes and secrets
Persist
Crack hashes or reuse session tokens
Impact
Authenticate to wp-admin and deploy backdoor

Vulnerability AssessmentAI

Exploitation The target site must have the JetSmartFilters plugin installed and active at version 3.8.1 or earlier, and the vulnerable filter endpoint must be reachable over HTTP/HTTPS (default for any public WordPress site using the plugin). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS vector (AV:N/AC:L/PR:N/UI:N) describes an unauthenticated, network-reachable, low-complexity attack with no user interaction - the worst-case exposure profile for a WordPress plugin. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker sends a crafted HTTP request to a public WordPress page that exposes a JetSmartFilters AJAX endpoint, injecting SQL through a vulnerable filter parameter to UNION-select rows from wp_users and exfiltrate administrator password hashes. The hashes are then cracked offline or replayed against other services, and the recovered admin credentials are used to log into wp-admin and install a backdoor plugin. …
Remediation Upgrade JetSmartFilters to a release later than 3.8.1 as published by Crocoblock/JetImpex - consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/jet-smart-filters/vulnerability/wordpress-jetsmartfilters-plugin-3-8-1-sql-injection-vulnerability for the vendor-released patched version once available. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Audit all WordPress installations to identify those running JetSmartFilters ≤3.8.1; document affected systems and versions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-48875 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy