Skip to main content

YMC Filter EUVDEUVD-2026-39389

| CVE-2026-54836 CRITICAL
SQL Injection (CWE-89)
2026-06-25 Patchstack GHSA-9mfm-rqgg-86f7
9.3
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
9.3 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
vuln.today AI
9.3 CRITICAL

Unauthenticated, network-reachable SQLi with low complexity (AV:N/AC:L/PR:N/UI:N); injection reaches the shared DB backend (S:C), primarily enabling data read (C:H) with limited availability impact.

3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 25, 2026 - 14:25 vuln.today

DescriptionCVE.org

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in YMC Filter allows SQL Injection.

This issue affects YMC Filter: from n/a through 3.11.5.

AnalysisAI

SQL injection in the YMC Filter (YMC Smart Filter / Filter Grids) WordPress plugin lets remote attackers inject malicious SQL through unsanitized input, affecting all versions up to and including 3.11.5. Per the CVSS vector (PR:N), exploitation is unauthenticated and network-reachable, enabling database content disclosure and a scope change beyond the plugin's own data. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify WordPress site running YMC Filter
Delivery
Locate injectable filter parameter
Exploit
Send crafted SQL via HTTP request
Execution
Database executes malicious query
Impact
Exfiltrate user and credential data

Vulnerability AssessmentAI

Exploitation Exploitation requires the YMC Filter (YMC Smart Filter / Filter Grids) plugin, version 3.11.5 or earlier, to be installed and active on a network-reachable WordPress site. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score is 9.3 (critical) driven by AV:N (network), AC:L (low complexity), PR:N (no privileges), UI:N (no user interaction) and S:C (scope change), with C:H confidentiality, I:N integrity and A:L availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker identifies a site running YMC Filter ≤3.11.5 and sends a crafted HTTP request to the plugin's filter/grid endpoint with a malicious value in an injectable parameter (e.g. a filter, taxonomy, or AJAX argument). …
Remediation No vendor-released patch version is identified in the available data (the advisory lists affected versions up to 3.11.5 without a confirmed fixed release), so monitor the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/ymc-smart-filter/vulnerability/wordpress-filter-grids-plugin-3-11-5-sql-injection-vulnerability and the plugin's WordPress.org page for an update beyond 3.11.5 and apply it immediately when published. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Disable the YMC Smart Filter plugin across all WordPress installations and document affected sites. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-39389 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy