Skip to main content

Ymc Filter

2 CVEs product

Monthly

CVE-2026-10823 HIGH POC PATCH This Week

Information disclosure in the YMC Filter WordPress plugin before 3.11.3 lets unauthenticated remote attackers read the titles and content of private, draft, and other non-public posts by abusing a REST API endpoint that lacks proper authorization and fails to validate a user-supplied query parameter. WPScan reported the flaw, a public exploit exists, and a vendor patch is available; the CVSS 3.1 score is 7.5 reflecting high confidentiality impact with no integrity or availability effect.

WordPress Information Disclosure Ymc Filter
NVD WPScan VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-54836 CRITICAL Act Now

SQL injection in the YMC Filter (YMC Smart Filter / Filter Grids) WordPress plugin lets remote attackers inject malicious SQL through unsanitized input, affecting all versions up to and including 3.11.5. Per the CVSS vector (PR:N), exploitation is unauthenticated and network-reachable, enabling database content disclosure and a scope change beyond the plugin's own data. No public exploit identified at time of analysis, and no EPSS score was supplied, so real-world exploitation prevalence is currently unmeasured.

SQLi Ymc Filter
NVD
CVSS 3.1
9.3
EPSS
0.2%
EPSS 0% CVSS 7.5
HIGH POC PATCH This Week

Information disclosure in the YMC Filter WordPress plugin before 3.11.3 lets unauthenticated remote attackers read the titles and content of private, draft, and other non-public posts by abusing a REST API endpoint that lacks proper authorization and fails to validate a user-supplied query parameter. WPScan reported the flaw, a public exploit exists, and a vendor patch is available; the CVSS 3.1 score is 7.5 reflecting high confidentiality impact with no integrity or availability effect.

WordPress Information Disclosure Ymc Filter
NVD WPScan VulDB
EPSS 0% CVSS 9.3
CRITICAL Act Now

SQL injection in the YMC Filter (YMC Smart Filter / Filter Grids) WordPress plugin lets remote attackers inject malicious SQL through unsanitized input, affecting all versions up to and including 3.11.5. Per the CVSS vector (PR:N), exploitation is unauthenticated and network-reachable, enabling database content disclosure and a scope change beyond the plugin's own data. No public exploit identified at time of analysis, and no EPSS score was supplied, so real-world exploitation prevalence is currently unmeasured.

SQLi Ymc Filter
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy