Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Unauthenticated network SQLi (AV:N/AC:L/PR:N/UI:N); SQLi reaches the shared WP database so S:C with C:H; SQLi typically allows some write so I:L, no clear availability impact.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated SQL Injection in JetSmartFilters <= 3.8.1 versions.
AnalysisAI
Unauthenticated SQL injection in the JetSmartFilters WordPress plugin (versions ≤ 3.8.1) allows remote attackers to inject arbitrary SQL queries against the underlying WordPress database without any authentication or user interaction. The CVSS 9.3 score reflects a scope-changing flaw with high confidentiality impact and low availability impact, and no public exploit has been identified at time of analysis. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The target site must have the JetSmartFilters plugin installed and active at version 3.8.1 or earlier, and the vulnerable filter endpoint must be reachable over HTTP/HTTPS (default for any public WordPress site using the plugin). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS vector (AV:N/AC:L/PR:N/UI:N) describes an unauthenticated, network-reachable, low-complexity attack with no user interaction - the worst-case exposure profile for a WordPress plugin. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker sends a crafted HTTP request to a public WordPress page that exposes a JetSmartFilters AJAX endpoint, injecting SQL through a vulnerable filter parameter to UNION-select rows from wp_users and exfiltrate administrator password hashes. The hashes are then cracked offline or replayed against other services, and the recovered admin credentials are used to log into wp-admin and install a backdoor plugin. … |
| Remediation | Upgrade JetSmartFilters to a release later than 3.8.1 as published by Crocoblock/JetImpex - consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/jet-smart-filters/vulnerability/wordpress-jetsmartfilters-plugin-3-8-1-sql-injection-vulnerability for the vendor-released patched version once available. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Audit all WordPress installations to identify those running JetSmartFilters ≤3.8.1; document affected systems and versions. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37611