Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Unauthenticated, network-reachable SQLi with low complexity (AV:N/AC:L/PR:N/UI:N); injection reaches the shared DB backend (S:C), primarily enabling data read (C:H) with limited availability impact.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Lifecycle Timeline
1DescriptionCVE.org
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in YMC Filter allows SQL Injection.
This issue affects YMC Filter: from n/a through 3.11.5.
AnalysisAI
SQL injection in the YMC Filter (YMC Smart Filter / Filter Grids) WordPress plugin lets remote attackers inject malicious SQL through unsanitized input, affecting all versions up to and including 3.11.5. Per the CVSS vector (PR:N), exploitation is unauthenticated and network-reachable, enabling database content disclosure and a scope change beyond the plugin's own data. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the YMC Filter (YMC Smart Filter / Filter Grids) plugin, version 3.11.5 or earlier, to be installed and active on a network-reachable WordPress site. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score is 9.3 (critical) driven by AV:N (network), AC:L (low complexity), PR:N (no privileges), UI:N (no user interaction) and S:C (scope change), with C:H confidentiality, I:N integrity and A:L availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker identifies a site running YMC Filter ≤3.11.5 and sends a crafted HTTP request to the plugin's filter/grid endpoint with a malicious value in an injectable parameter (e.g. a filter, taxonomy, or AJAX argument). … |
| Remediation | No vendor-released patch version is identified in the available data (the advisory lists affected versions up to 3.11.5 without a confirmed fixed release), so monitor the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/ymc-smart-filter/vulnerability/wordpress-filter-grids-plugin-3-11-5-sql-injection-vulnerability and the plugin's WordPress.org page for an update beyond 3.11.5 and apply it immediately when published. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Disable the YMC Smart Filter plugin across all WordPress installations and document affected sites. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Ymc Filter
View allSame weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39389
GHSA-9mfm-rqgg-86f7