How is CVE-2026-56067 exploited?

Network reachability (required): The vulnerable endpoint is exposed over the network, meaning an attacker can send crafted HTTP requests to the WordPress site from any internet-accessible location without needing prior access to the host. Authentication (not-required): No account or session token of any kind is needed; the injection point is reachable by any anonymous HTTP client. Victim interaction (not-required): The attack is fully server-side and requires no action from any user or administrator of the target site. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no special timing, race conditions, or environmental prerequisites beyond a reachable target.

What is the impact of CVE-2026-56067?

An attacker reads arbitrary rows from the WordPress database, including password hashes, user email addresses, session tokens, and any other data stored by installed plugins. Database confidentiality is fully compromised (CVSS C:H), exposing every record the database user can access, which on many WordPress deployments includes the entire wp_ table set. Availability is partially degraded (CVSS A:L); malformed or resource-intensive SQL queries can slow or momentarily disrupt database responsiveness for legitimate site traffic. Because the CVSS scope is Changed, impact is not limited to the plugin itself and can extend to other components sharing the same database instance, such as WooCommerce or membership systems running on the same WordPress install.

Back to search

CRITICALCVE-2026-56067Published 2026-06-26Modified 2026-06-26CNA Patchstack

CVE-2026-56067: WordPress JetSmartFilters plugin <= 3.8.3 - SQL Injection vulnerability

Q: What is CVE-2026-56067?

This is an unauthenticated SQL injection vulnerability in the JetSmartFilters WordPress plugin, versions 3.8.3 and earlier, developed by Crocoblock (Jetimpex Inc.). The flaw is reachable over the network with no authentication required and no user interaction needed, matching a CVSS 9.3 Critical rating. Successful exploitation gives an attacker direct read access to the underlying database contents and causes minor service disruption. No upstream fix has been published yet; HarborGuard tracks the advisory and will make a patched rebuild available as soon as one is released.

Q: Is CVE-2026-56067 patched?

Because no fix version has been published upstream, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment a remediated plugin release appears. In the interim, the finding remains open and visible in each environment's vulnerability queue so teams can apply compensating controls.

Unauthenticated SQL Injection in JetSmartFilters <= 3.8.3 versions.

CVSS v3.1: 9.3
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

This is an unauthenticated SQL injection vulnerability in the JetSmartFilters WordPress plugin, versions 3.8.3 and earlier, developed by Crocoblock (Jetimpex Inc.). The flaw is reachable over the network with no authentication required and no user interaction needed, matching a CVSS 9.3 Critical rating. Successful exploitation gives an attacker direct read access to the underlying database contents and causes minor service disruption. No upstream fix has been published yet; HarborGuard tracks the advisory and will make a patched rebuild available as soon as one is released.

HarborGuard Coverage

Detection

Detection for CVE-2026-56067 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built WordPress images that bundle the JetSmartFilters plugin. Any image found to carry an affected version of the plugin is flagged immediately.

Available

Triage

HarborGuard is capable of scoring this finding at CVSS 9.3 Critical and weighting it against each environment's compliance policy to determine urgency and escalation path. The resulting alert is routable to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

Because no fix version has been published upstream, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment a remediated plugin release appears. In the interim, the finding remains open and visible in each environment's vulnerability queue so teams can apply compensating controls.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable endpoint is exposed over the network, meaning an attacker can send crafted HTTP requests to the WordPress site from any internet-accessible location without needing prior access to the host.
AuthenticationNot required
No account or session token of any kind is needed; the injection point is reachable by any anonymous HTTP client.
Victim interactionNot required
The attack is fully server-side and requires no action from any user or administrator of the target site.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special timing, race conditions, or environmental prerequisites beyond a reachable target.

Blast Radius

An attacker reads arbitrary rows from the WordPress database, including password hashes, user email addresses, session tokens, and any other data stored by installed plugins.
Database confidentiality is fully compromised (CVSS C:H), exposing every record the database user can access, which on many WordPress deployments includes the entire wp_ table set.
Availability is partially degraded (CVSS A:L); malformed or resource-intensive SQL queries can slow or momentarily disrupt database responsiveness for legitimate site traffic.
Because the CVSS scope is Changed, impact is not limited to the plugin itself and can extend to other components sharing the same database instance, such as WooCommerce or membership systems running on the same WordPress install.

How HarborGuard Handles This

Available on HarborGuard: detection for this CVE is active across all scanning environments, and any image containing JetSmartFilters 3.8.3 or earlier is flagged at CVSS 9.3 Critical the moment a scan runs. Because no upstream patch exists yet, HarborGuard monitors the advisory on every ingest cycle and will trigger patched-image rebuild and, for customers with auto-remediation enabled, a regression-test run plus a PR against affected workloads as soon as a fixed version is published. While waiting for an upstream fix, consider compensating controls such as placing the affected WordPress instance behind a web application firewall rule that blocks SQL metacharacters in filter-related query parameters, applying network policy to restrict database egress to only necessary application containers, and disabling or replacing the JetSmartFilters plugin with a non-vulnerable alternative if business requirements allow. HarborGuard will surface the patched rebuild automatically; no manual re-scan is needed.

See how HarborGuard automates this

Affected packages

Crocoblock. Jetimpex Inc. / JetSmartFilters
≤ 3.8.3

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L

References

patchstack.com

Metrics

Get notified