Impact
Unauthenticated SQL injection is present in JetSmartFilters versions up to 3.8.1, allowing an attacker to inject arbitrary SQL into the database connection used by the plugin. This flaw can lead to unauthorized data exfiltration, modification of database contents, or, in worst‑case scenarios, use of the database to execute further attacks against the host system. The vulnerability is a classic instance of CWE‑89, which directly threatens confidentiality, integrity, and potentially availability of the site’s data.
Affected Systems
The affected product is the JetSmartFilters WordPress plugin developed by Jetimpex Inc. Versions of the plugin 3.8.1 and earlier are vulnerable; any WordPress installation that has such a version installed and exposed to the public web is at risk.
Risk and Exploitability
The CVSS score of 9.3 indicates a high severity and the absence of an EPSS rating means no current exploitation probability is available, but the flaw remains significant. The vulnerability is listed as not in the CISA KEV catalog, so there is no known active exploitation track. The likely attack vector is remote, through crafted requests to the plugin’s filter handling endpoints, and the unauthenticated nature means any website visitor can attempt exploitation. Given the severity and lack of mitigation on the application side, the risk to any affected site is substantial.
OpenCVE Enrichment