Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in YMC Filter allows SQL Injection.

This issue affects YMC Filter: from n/a through 3.11.5.
Published: 2026-06-25
Score: 9.3 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An improper neutralization of special elements in SQL commands (CWE‑89) allows an attacker to inject arbitrary SQL into the YMC Filter WordPress plugin’s query handling. The flaw can be exploited to read, modify, or delete data that the plugin’s database user can access. The risk is limited to the scope of the database permissions granted to the plugin; no further capabilities such as code execution are documented by the vulnerability description.

Affected Systems

All WordPress sites that have the YMC Filter plugin installed in a version from its initial release through 3.11.5 are affected. The plugin is offered by YMC and adds filtering and grid display features to WordPress installations. Users running any of these versions host the vulnerable code and are susceptible to exploitation.

Risk and Exploitability

The CVSS score of 9.3 marks this as a critical vulnerability. The EPSS score is not available, and the issue is not listed in the CISA KEV catalog. The likely attack vector is via the web, with an attacker posting crafted input to a form or URL that the plugin processes. Successful exploitation requires only the ability to send a request to the site; no additional privileges are needed to trigger the injection.

Generated by OpenCVE AI on June 25, 2026 at 16:16 UTC.

Remediation

Vendor Solution

Update the WordPress Filter & Grids Plugin to the latest available version (at least 3.11.6).

OpenCVE Recommended Actions

  • Upgrade the YMC Filter plugin to version 3.11.6 or later, which contains the fix for the SQL injection vulnerability.
  • If an upgrade cannot be performed immediately, temporarily disable or completely remove the YMC Filter plugin to eliminate the attack surface until a patch is applied.
  • After applying the fix, review the database for unauthorized changes or new accounts that may have been introduced, and rotate any credentials that could have been exposed during the vulnerability exposure.

Generated by OpenCVE AI on June 25, 2026 at 16:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 00:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 25 Jun 2026 14:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in YMC Filter allows SQL Injection. This issue affects YMC Filter: from n/a through 3.11.5.
Title WordPress Filter & Grids plugin <= 3.11.5 - SQL Injection vulnerability
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-25T23:23:53.973Z

Reserved: 2026-06-16T09:21:57.269Z

Link: CVE-2026-54836

cve-icon Vulnrichment

Updated: 2026-06-25T23:23:49.178Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T16:30:15Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')