CVE-2026-54836: WordPress Filter & Grids plugin <= 3.11.5 - SQL Injection vulnerability
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in YMC Filter allows SQL Injection. This issue affects YMC Filter: from n/a through 3.11.5.
Metrics
- CVSS v3.1
- 9.3
- Severity
- CRITICAL
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
SQL injection in the YMC Filter and Grids WordPress plugin (versions up to and including 3.11.5) is reachable over the network with no authentication required. An attacker sends a crafted HTTP request to a WordPress site running the plugin, injecting arbitrary SQL into the underlying database query. Successful exploitation reads sensitive data from the database and can cause limited service disruption. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.
HarborGuard Coverage
Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds (including Patchstack) within minutes of publication and matched against customer images in registries and CI/CD pipelines, including custom-built WordPress images that bundle the YMC Filter plugin.
AvailableHarborGuard scores this finding at CVSS 9.3 (Critical) and weights it against each environment's compliance policy to determine urgency and routing, directing alerts to the appropriate team inbox within each customer organization.
AvailableBecause no upstream fix version has been published, HarborGuard re-checks this advisory on every ingest cycle and will make a patched-image rebuild available the moment a fix is released. For customers with auto-remediation enabled, the rebuild, regression run, and pull request against affected workloads will be triggered automatically at that point.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The plugin endpoint is exposed over the network, so an attacker must be able to send HTTP requests to the target WordPress site.
- AuthenticationNot required
No account or session token is needed; the vulnerable parameter is accessible to unauthenticated HTTP requests.
- Victim interactionNot required
The attacker sends a direct request to the server; no user action or social engineering is involved.
- Attack complexityDetail
Exploitation is reliable and condition-free: no race conditions, memory layout knowledge, or special environmental factors are required.
Blast Radius
- Reads arbitrary database content, including WordPress user credentials (hashed passwords), email addresses, session tokens, and any stored customer or post data.
- Crosses the security boundary of the WordPress installation (Scope: Changed), meaning data from other applications sharing the same database server can be reached if the database user has broader permissions.
- Causes limited availability disruption through malformed or expensive queries that degrade database performance or produce errors visible to legitimate users.
How HarborGuard Handles This
Available on HarborGuard: this CVE is flagged Critical and receives priority tracking. Because no patch exists yet, HarborGuard monitors the Patchstack advisory and NVD feeds on every ingest cycle so the fix version is picked up the moment it is published. In the interim, compensating controls worth considering include network-policy rules that restrict unexpected outbound database connections, web application firewall rules targeting SQL metacharacter patterns in plugin request parameters, and disabling or removing the YMC Filter plugin from images where it is not required. Where compliance policy permits, as soon as an upstream fix version is available, HarborGuard can trigger an automatic image rebuild, regression test run, and a pull request opened against affected workloads, with median time from CVE fix publication to merged patch PR around 90 minutes for Critical-severity issues in environments with auto-remediation enabled.
- YMC / YMC Filter≤ 3.11.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L