External risk intelligence

JetSmartFilters Unauthenticated SQL Injection Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.3)

CVE-2026-48875

An unauthenticated SQL injection vulnerability exists in a widely used website filtering plugin, potentially allowing attackers to access or manipulate database information without logging in. This could impact data integrity and security on affected sites, necessitating confirmation of its presence and assessment of p

SQL Injection

Halo Surface Signal

Very likely · external exposure

5Halo Surface Signal

This vulnerability affects a WordPress plugin, which is a component of public-facing web applications. Because the vulnerability is unauthenticated and resides in a web-based plugin component, it is reachable by any user accessing the website from the public internet.

Horizon Alert

Summary of the vulnerability and why it matters

This critical vulnerability involves an unauthenticated SQL injection flaw in a widely used website filtering plugin. The issue allows attackers to potentially access or manipulate database information without needing to log in, which could have significant implications for data integrity and security across affected sites. The primary concern is to confirm if this plugin is in use and assess potential exposure.

  • Unauthenticated database access risk in website plugin.
  • External attackers could misuse this technology.
  • Confirm relevance and understand potential exposure.

Attack Path

How an attacker could exploit the issue

An attacker can exploit this vulnerability by sending specially crafted requests to a vulnerable website without needing any authentication. This targets a filtering component within the JetSmartFilters plugin, potentially allowing for unauthorized access to sensitive data or disruption of the website's database.

  • No authentication required.
  • Triggered via crafted filter requests.
  • Leads to unauthorized data access.

Live Threat

Current exploitation, exposure, and threat context

Unauthenticated SQL injection in JetSmartFilters could allow an attacker to interfere with queries to the underlying database. When supported by the advisory, this could impact database integrity or expose sensitive information.

  • System data and integrity at risk.
  • Exploitable remotely over the network.
  • Database information may be exposed.

Operational Fix

Recommended remediation, mitigation, and detection steps

This critical vulnerability in JetSmartFilters affects unauthenticated SQL injection, requiring immediate attention from teams managing WordPress sites. The first practical step is to identify all instances of the affected plugin, confirm their exposure and business criticality, and then coordinate remediation efforts with application owners and potentially the vendor.

  • Application owners should manage this issue.
  • Verify plugin presence and exposure first.
  • Plan remediation based on assessed risk.

Supplementary metadata

PCI scan relevance

Yes

CVE-2026-48875 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This CVE involves an unauthenticated SQL injection vulnerability, which is a critical flaw that could lead to a PCI ASV scan failure.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Free EASM Trial See How Signal Works

Frequently asked questions

What is the JetSmartFilters plugin used for?

JetSmartFilters is a WordPress plugin designed to help site owners build advanced filtering systems for their content. It allows visitors to narrow down search results, product listings, or custom queries based on specific criteria. Because it operates directly within the WordPress environment, it handles database queries whenever a user interacts with a filter on a webpage.

What does SQL injection mean for CVE-2026-48875?

This vulnerability is classified as CWE-89, which occurs when software does not properly sanitize user-provided data before including it in a database query. In the context of CVE-2026-48875, an attacker can input malicious commands into the plugin's filter parameters. This effectively tricks the website's database into executing unauthorized instructions, potentially revealing sensitive information stored in the system.

How is this vulnerability triggered?

An attacker triggers this flaw by sending a specially crafted web request to a site using an affected version of the plugin. No login or administrative access is needed to initiate the attack. Crucially, the vulnerability relies on the plugin's ability to process these filter inputs; requests that do not interact with the vulnerable filtering component or that use standard, benign parameters will not trigger the bug.

Is my website at risk from this CVE?

According to Halo Surface Signal, this vulnerability is considered very likely to be reachable for public-facing websites. Since the plugin is a core component of web interfaces, any instance accessible from the internet can be targeted. If your WordPress site uses JetSmartFilters and is reachable by the public, you should assume the component is exposed to remote requests.

What should I do if I use this plugin?

Start by auditing your WordPress installations to confirm if JetSmartFilters is currently active. Once identified, evaluate the plugin's role in your site's functionality and monitor for vendor updates or patches. Coordinate with your team to prioritize these updates, as remediation is the most effective way to secure your database against these unauthorized injection attempts.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished