Description
Unauthenticated SQL Injection in JetSmartFilters <= 3.8.1 versions.
Published: 2026-06-17
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Unauthenticated SQL injection is present in JetSmartFilters versions up to 3.8.1, allowing an attacker to inject arbitrary SQL into the database connection used by the plugin. This flaw can lead to unauthorized data exfiltration, modification of database contents, or, in worst‑case scenarios, use of the database to execute further attacks against the host system. The vulnerability is a classic instance of CWE‑89, which directly threatens confidentiality, integrity, and potentially availability of the site’s data.

Affected Systems

The affected product is the JetSmartFilters WordPress plugin developed by Jetimpex Inc. Versions of the plugin 3.8.1 and earlier are vulnerable; any WordPress installation that has such a version installed and exposed to the public web is at risk.

Risk and Exploitability

The CVSS score of 9.3 indicates a high severity and the absence of an EPSS rating means no current exploitation probability is available, but the flaw remains significant. The vulnerability is listed as not in the CISA KEV catalog, so there is no known active exploitation track. The likely attack vector is remote, through crafted requests to the plugin’s filter handling endpoints, and the unauthenticated nature means any website visitor can attempt exploitation. Given the severity and lack of mitigation on the application side, the risk to any affected site is substantial.

Generated by OpenCVE AI on June 18, 2026 at 12:12 UTC.

Remediation

Vendor Solution

Update the WordPress JetSmartFilters Plugin to the latest available version (at least 3.8.1.1).


OpenCVE Recommended Actions

  • Apply the latest JetSmartFilters plugin update (≥ 3.8.1.1) to eliminate the SQL injection flaw
  • If the plugin is not essential, consider disabling or uninstalling it to remove the attack surface
  • Deploy application or web‑application firewall rules that detect and block typical SQL injection patterns against the JetSmartFilters endpoints

Generated by OpenCVE AI on June 18, 2026 at 12:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 21 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Jetimpex Inc.
Jetimpex Inc. jetsmartfilters
Wordpress
Wordpress wordpress
Vendors & Products Jetimpex Inc.
Jetimpex Inc. jetsmartfilters
Wordpress
Wordpress wordpress

Wed, 17 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 17 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
Description Unauthenticated SQL Injection in JetSmartFilters <= 3.8.1 versions.
Title WordPress JetSmartFilters plugin <= 3.8.1 - SQL Injection vulnerability
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L'}


Subscriptions

Jetimpex Inc. Jetsmartfilters
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T12:27:00.242Z

Reserved: 2026-05-25T22:10:13.824Z

Link: CVE-2026-48875

cve-icon Vulnrichment

Updated: 2026-06-17T12:26:51.189Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T23:04:03Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')