Description
Missing Authorization vulnerability in YMC Filter & Grids ymc-smart-filter allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Filter & Grids: from n/a through <= 3.5.1.
Published: 2026-03-13
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Access via Broken Access Control
Action: Patch Now
AI Analysis

Impact

The YMC Filter & Grids plugin for WordPress contains a Missing Authorization flaw (CWE-862) that allows an attacker to bypass normal access controls and perform unauthorized operations on plugin data (CVE description). This flaw can enable reading, modifying, or deleting content managed by the plugin, thereby compromising confidentiality and integrity of the site’s data (CVE description).

Affected Systems

All installations of YMC Filter & Grids (ymc‑smart‑filter) with versions up to and including 3.5.1 are vulnerable as the issue exists from the earliest release through 3.5.1 (CVE description). No fixed version is listed in the CNA data, so the exact affected versions are not explicitly enumerated (KNAWB .)

Risk and Exploitability

The CVSS score is 5.3, indicating medium severity, and the EPSS score is <1%, showing a low current likelihood of exploitation (SCORES). The vulnerability is not listed in the CISA KEV catalog (SCORES). As no publicly documented exploit is known, the attack vector is inferred to be a misconfiguration or an attacker who can influence plugin access‑control settings (inference from CVE description). The risk is therefore theoretical unless the site is misconfigured.

Generated by OpenCVE AI on March 19, 2026 at 16:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the YMC Filter & Grids plugin to a version newer than 3.5.1 if available.
  • Verify that the plugin’s access‑control settings are correctly configured so that only authenticated administrators can perform privileged actions (CVE description).
  • If a plugin update is not possible, restrict access to the plugin’s administrative URLs by using web‑server or firewall rules to allow only authenticated personnel.
  • Monitor the website’s logs for unauthorized attempts to access plugin endpoints and investigate any suspicious activity.

Generated by OpenCVE AI on March 19, 2026 at 16:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 16 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Ymc-22
Ymc-22 filter & Grids
Vendors & Products Wordpress
Wordpress wordpress
Ymc-22
Ymc-22 filter & Grids

Fri, 13 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 13 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in YMC Filter & Grids ymc-smart-filter allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Filter & Grids: from n/a through <= 3.5.1.
Title WordPress Filter & Grids plugin <= 3.5.1 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Wordpress Wordpress
Ymc-22 Filter & Grids
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:16:08.802Z

Reserved: 2026-03-12T11:11:09.668Z

Link: CVE-2026-32397

cve-icon Vulnrichment

Updated: 2026-03-13T18:45:52.695Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-13T19:54:55.447

Modified: 2026-03-16T14:53:46.157

Link: CVE-2026-32397

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T12:04:04Z

Weaknesses