Ymc Filter
Monthly
Information disclosure in the YMC Filter WordPress plugin before 3.11.3 lets unauthenticated remote attackers read the titles and content of private, draft, and other non-public posts by abusing a REST API endpoint that lacks proper authorization and fails to validate a user-supplied query parameter. WPScan reported the flaw, a public exploit exists, and a vendor patch is available; the CVSS 3.1 score is 7.5 reflecting high confidentiality impact with no integrity or availability effect.
SQL injection in the YMC Filter (YMC Smart Filter / Filter Grids) WordPress plugin lets remote attackers inject malicious SQL through unsanitized input, affecting all versions up to and including 3.11.5. Per the CVSS vector (PR:N), exploitation is unauthenticated and network-reachable, enabling database content disclosure and a scope change beyond the plugin's own data. No public exploit identified at time of analysis, and no EPSS score was supplied, so real-world exploitation prevalence is currently unmeasured.
Information disclosure in the YMC Filter WordPress plugin before 3.11.3 lets unauthenticated remote attackers read the titles and content of private, draft, and other non-public posts by abusing a REST API endpoint that lacks proper authorization and fails to validate a user-supplied query parameter. WPScan reported the flaw, a public exploit exists, and a vendor patch is available; the CVSS 3.1 score is 7.5 reflecting high confidentiality impact with no integrity or availability effect.
SQL injection in the YMC Filter (YMC Smart Filter / Filter Grids) WordPress plugin lets remote attackers inject malicious SQL through unsanitized input, affecting all versions up to and including 3.11.5. Per the CVSS vector (PR:N), exploitation is unauthenticated and network-reachable, enabling database content disclosure and a scope change beyond the plugin's own data. No public exploit identified at time of analysis, and no EPSS score was supplied, so real-world exploitation prevalence is currently unmeasured.