Skip to main content

JetSmartFilters CVE-2026-56067

| EUVDEUVD-2026-39720 CRITICAL
SQL Injection (CWE-89)
2026-06-26 audit@patchstack.com GHSA-c2rx-68rq-4pfx
9.3
CVSS 3.1 · Vendor: patchstack
Share

Severity by source

Vendor (patchstack) PRIMARY
9.3 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
vuln.today AI
7.5 HIGH

Unauthenticated network SQLi with low complexity (AV:N/AC:L/PR:N), primarily data disclosure so C:H; no clear write/integrity or availability impact and no cross-system scope change, so I:N/A:N/S:U.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (patchstack).

CVSS VectorVendor: patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 26, 2026 - 15:57 vuln.today

DescriptionCVE.org

Unauthenticated SQL Injection in JetSmartFilters <= 3.8.3 versions.

AnalysisAI

Unauthenticated SQL injection in the JetSmartFilters WordPress plugin (Crocoblock) affects all versions up to and including 3.8.3, letting remote attackers with no authentication inject crafted SQL through plugin filter parameters and read sensitive database contents. The CVSS 9.3 rating reflects network reachability with no privileges or user interaction required; the issue was reported by Patchstack. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify WordPress site running JetSmartFilters
Delivery
Send crafted request to filter AJAX endpoint
Exploit
Inject SQL via unsanitized filter parameter
Execution
Extract database records (users, hashes)
Impact
Reuse stolen data for further compromise

Vulnerability AssessmentAI

Exploitation Exploitation requires that the JetSmartFilters plugin (version 3.8.3 or earlier) is installed and active on a reachable WordPress site, with its AJAX-based filter functionality exposed on the front end - its normal, default operating mode. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are partially conflicting and should be weighed carefully. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker discovers a WordPress site running JetSmartFilters and sends a crafted HTTP request to the plugin's front-end AJAX filtering endpoint with a malicious value in a filter parameter. Because the input is not sanitized, the payload alters the underlying SQL query and exfiltrates data such as user records or password hashes from the WordPress database. …
Remediation Upgrade JetSmartFilters to a version newer than 3.8.3 once Crocoblock publishes a fixed release; the input does not specify an exact patched version, so no vendor-released fix version is independently confirmed at time of analysis - verify the current fixed version against the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/jet-smart-filters/vulnerability/wordpress-jetsmartfilters-plugin-3-8-3-sql-injection-vulnerability?_s_id=cve) and the Crocoblock changelog before relying on it. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Inventory all WordPress installations for JetSmartFilters plugin versions up to 3.8.3; deactivate and disable the plugin immediately on all affected sites. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-56067 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy