CVE-2026-48875: WordPress JetSmartFilters plugin <= 3.8.1 - SQL Injection vulnerability
Unauthenticated SQL Injection in JetSmartFilters <= 3.8.1 versions.
Metrics
- CVSS v3.1
- 9.3
- Severity
- CRITICAL
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
This is an unauthenticated SQL injection vulnerability in the JetSmartFilters WordPress plugin at version 3.8.1 and earlier. The vulnerability is reachable over the network without any login or credentials, meaning any internet-facing WordPress site running the affected plugin is exposed. Successful exploitation gives an attacker read access to the underlying database and limited ability to disrupt service availability. No fix version has been published yet; HarborGuard tracks the advisory for patch availability.
HarborGuard Coverage
Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds, including Patchstack, within minutes of publication and matched against customer images running the affected plugin version, including custom-built WordPress images. Any container image carrying JetSmartFilters 3.8.1 or earlier is flagged automatically during both registry scans and CI pipeline checks.
AvailableHarborGuard scores this vulnerability at CVSS 9.3 Critical and is capable of weighting that score against each customer environment's compliance policy to determine urgency and escalation path. Triage routing is available to direct alerts to the appropriate team inbox within each customer organization based on ownership rules configured in their HarborGuard account.
AvailableBecause no upstream fix version has been published, HarborGuard re-evaluates the advisory on every ingest cycle and will make a patched-image rebuild available as soon as Jetimpex Inc. ships a remediated release. In the meantime, customers with compensating-control policies enabled can receive guidance on network-policy isolation and egress filtering to reduce exposure while awaiting the upstream fix.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The attacker must reach the WordPress service over the network; any internet-facing deployment of the affected plugin is directly exposed.
- AuthenticationNot required
No account or credentials of any privilege level are needed to trigger the SQL injection.
- Victim interactionNot required
No user action is required; the attacker sends a crafted HTTP request directly to the plugin endpoint.
- Attack complexityDetail
The exploit is reliable and condition-free, requiring no race conditions, special memory layout, or environmental prerequisites.
Blast Radius
- An attacker reads arbitrary rows from the WordPress database, including stored user credentials, session tokens, and customer records.
- Because the scope is changed (S:C), data exposure can extend beyond the WordPress application boundary to other databases or services sharing the same database server.
- The availability impact allows an attacker to partially degrade or crash the affected service, causing intermittent downtime for site visitors.
How HarborGuard Handles This
Available on HarborGuard: because no upstream fix has been published for this critical-severity SQL injection, HarborGuard monitors the Patchstack advisory and the Jetimpex release feed on every ingest cycle and will surface a patched-image rebuild the moment a fix version appears. Until then, customers can use HarborGuard network-policy recommendations to isolate affected containers, restrict database egress to known application accounts only, and apply egress filtering rules that limit which services can reach the WordPress instance. For environments where the plugin is not actively required, HarborGuard's compliance policy engine can flag the image for removal or feature-flag gating. When an upstream fix is published, customers with auto-remediation enabled will automatically receive a rebuilt image, a regression-test run, and a PR opened against affected workloads; for high and critical severity issues, the median time from CVE publication to merged patch PR in auto-remediation environments is around 90 minutes after a fix version becomes available.
- Jetimpex Inc. / JetSmartFilters≤ 3.8.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L