Does YMC Filter have any unpatched vulnerabilities?

No. All known vulnerabilities in YMC Filter have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is YMC Filter compatible with WordPress 6.9.4?

According to WordPress.org data, YMC Filter 3.8.1 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

Is YMC Filter compatible with PHP 7.2+?

YMC Filter requires PHP 7.2 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is YMC Filter updated?

YMC Filter was last updated on Mar 15, 2026. Frequent updates are generally a positive security signal.

What is YMC Filter's security score?

YMC Filter has a WP-Safety security score of 90/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

YMC Filter Security & Risk Analysis

wordpress.org/plugins/ymc-smart-filter

A powerful and flexible plugin to filter and display posts, custom post types, and other content in beautifully designed grid layouts.

5K active installs v3.8.1 PHP 7.2+ WP 5.5+ Updated Mar 15, 2026

ajaxfiltergridmasonrysearch

A · Safe

CVEs total4

Unpatched0

Last CVEDec 12, 2025

Download

Safety Verdict

Is YMC Filter Safe to Use in 2026?

Generally Safe

Score 90/100

YMC Filter has a strong security track record. Known vulnerabilities have been patched promptly.

4 known CVEsLast CVE: Dec 12, 2025Updated 20d ago

Risk Assessment

The ymc-smart-filter plugin version 3.8.1 exhibits a mixed security posture. While it demonstrates strengths in areas like SQL query sanitization and output escaping, with a high percentage of properly escaped outputs and a majority of SQL queries using prepared statements, there are significant concerns. The presence of two AJAX handlers without authentication checks creates a direct attack vector, increasing the risk of unauthorized actions. Furthermore, the plugin's history of four known CVEs, including a past critical SQL injection vulnerability and a PHP Remote File Inclusion, alongside medium severity CSRF and XSS, indicates a pattern of exploitable weaknesses. The fact that a critical vulnerability was identified as recently as December 2025, even if currently unpatched, suggests ongoing security challenges and a need for vigilant monitoring. The combination of an unprotected attack surface and a history of serious vulnerabilities outweighs the positive coding practices in terms of immediate risk.

Key Concerns

Unprotected AJAX handlers
Known CVEs (1 critical, 3 medium)
Taint analysis shows unsanitized paths

Vulnerabilities

YMC Filter Security Vulnerabilities

CVEs by Year

3 CVEs in 2024

2024

1 CVE in 2025

2025

Patched Has unpatched

Severity Breakdown

Critical

Medium

4 total CVEs

CVE-2025-10289medium · 5.9Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Filter & Grids <= 3.2.0 - Unauthenticated SQL Injection

Dec 12, 2025 Patched in 3.2.1 (1d)

CVE-2024-39664medium · 4.3Cross-Site Request Forgery (CSRF)

Filter & Grids <= 2.8.33 - Cross-Site Request Forgery

Aug 1, 2024 Patched in 2.8.34 (7d)

CVE-2024-39665medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Filter & Grids <= 2.9.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Aug 1, 2024 Patched in 2.9.3 (7d)

CVE-2024-6164critical · 9.8Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

Filter & Grids <= 2.8.32 - Unauthenticated Local File Inclusion

Jun 27, 2024 Patched in 2.8.33 (5d)

Code Analysis

Analyzed Mar 16, 2026

YMC Filter Code Analysis

Dangerous Functions

Raw SQL Queries

5 prepared

Unescaped Output

590

2425 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

71% prepared7 total queries

Output Escaping

80% escaped3015 total outputs

Data Flows

2 unsanitized

Data Flow Analysis

8 flows2 with unsanitized paths

load_dependent_terms (ymc2\src\frontend\FG_Ajax_Responder.php:897)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

2 unprotected

YMC Filter Attack Surface

Entry Points61

Unprotected2

AJAX Handlers 57

authwp_ajax_ymc_get_taxonomyincludes\core\admin\Ajax.php:26

authwp_ajax_ymc_get_termsincludes\core\admin\Ajax.php:28

authwp_ajax_ymc_tax_sortincludes\core\admin\Ajax.php:30

authwp_ajax_ymc_term_sortincludes\core\admin\Ajax.php:32

authwp_ajax_ymc_delete_choices_postsincludes\core\admin\Ajax.php:34

authwp_ajax_ymc_delete_choices_iconsincludes\core\admin\Ajax.php:36

authwp_ajax_ymc_options_iconsincludes\core\admin\Ajax.php:38

authwp_ajax_ymc_options_termsincludes\core\admin\Ajax.php:40

authwp_ajax_ymc_export_settingsincludes\core\admin\Ajax.php:42

authwp_ajax_ymc_import_settingsincludes\core\admin\Ajax.php:44

authwp_ajax_ymc_updated_taxonomyincludes\core\admin\Ajax.php:46

authwp_ajax_ymc_taxonomy_optionsincludes\core\admin\Ajax.php:48

authwp_ajax_ymc_selected_postsincludes\core\admin\Ajax.php:50

authwp_ajax_ymc_search_postsincludes\core\admin\Ajax.php:52

authwp_ajax_ymc_search_featured_postsincludes\core\admin\Ajax.php:54

authwp_ajax_ymc_delete_featured_postsincludes\core\admin\Ajax.php:56

authwp_ajax_ymc_loaded_featured_postsincludes\core\admin\Ajax.php:58

authwp_ajax_ymc_update_plugin_versionincludes\core\admin\Ajax.php:60

authwp_ajax_ymc_get_postsincludes\core\frontend\Get_Posts.php:21

noprivwp_ajax_ymc_get_postsincludes\core\frontend\Get_Posts.php:22

authwp_ajax_ymc_autocomplete_searchincludes\core\frontend\Get_Posts.php:24

noprivwp_ajax_ymc_autocomplete_searchincludes\core\frontend\Get_Posts.php:25

authwp_ajax_get_post_popupincludes\core\frontend\Get_Posts.php:27

noprivwp_ajax_get_post_popupincludes\core\frontend\Get_Posts.php:28

authwp_ajax_action_get_taxonomiesymc2\src\admin\FG_Ajax_Admin.php:21

authwp_ajax_action_get_termsymc2\src\admin\FG_Ajax_Admin.php:22

authwp_ajax_action_remove_termsymc2\src\admin\FG_Ajax_Admin.php:23

authwp_ajax_action_updated_taxonomiesymc2\src\admin\FG_Ajax_Admin.php:24

authwp_ajax_action_taxonomies_sortymc2\src\admin\FG_Ajax_Admin.php:25

authwp_ajax_action_terms_sortymc2\src\admin\FG_Ajax_Admin.php:26

authwp_ajax_action_selected_postsymc2\src\admin\FG_Ajax_Admin.php:27

authwp_ajax_action_search_feed_postsymc2\src\admin\FG_Ajax_Admin.php:28

authwp_ajax_action_save_taxonomy_attrsymc2\src\admin\FG_Ajax_Admin.php:29

authwp_ajax_action_save_term_attrsymc2\src\admin\FG_Ajax_Admin.php:30

authwp_ajax_action_clear_terms_cacheymc2\src\admin\FG_Ajax_Admin.php:31

authwp_ajax_action_get_selected_taxonomiesymc2\src\admin\FG_Ajax_Admin.php:32

authwp_ajax_action_upload_term_iconymc2\src\admin\FG_Ajax_Admin.php:33

authwp_ajax_action_export_settingsymc2\src\admin\FG_Ajax_Admin.php:34

authwp_ajax_action_import_settingsymc2\src\admin\FG_Ajax_Admin.php:35

authwp_ajax_action_update_related_termsymc2\src\admin\FG_Ajax_Admin.php:36

authwp_ajax_action_update_root_source_termsymc2\src\admin\FG_Ajax_Admin.php:37

authwp_ajax_action_load_usage_pageymc2\src\admin\FG_Ajax_Admin.php:38

authwp_ajax_action_scan_existing_postsymc2\src\admin\FG_Ajax_Admin.php:39

authwp_ajax_action_lb_save_layoutymc2\src\admin\FG_Ajax_Admin.php:40

authwp_ajax_action_get_classic_snapshotymc2\src\admin\FG_Ajax_Admin.php:41

authwp_ajax_get_filtered_postsymc2\src\frontend\FG_Ajax_Responder.php:21

noprivwp_ajax_get_filtered_postsymc2\src\frontend\FG_Ajax_Responder.php:22

authwp_ajax_get_post_to_popupymc2\src\frontend\FG_Ajax_Responder.php:24

noprivwp_ajax_get_post_to_popupymc2\src\frontend\FG_Ajax_Responder.php:25

authwp_ajax_get_autocomplete_suggestionsymc2\src\frontend\FG_Ajax_Responder.php:27

noprivwp_ajax_get_autocomplete_suggestionsymc2\src\frontend\FG_Ajax_Responder.php:28

authwp_ajax_load_dependent_termsymc2\src\frontend\FG_Ajax_Responder.php:30

noprivwp_ajax_load_dependent_termsymc2\src\frontend\FG_Ajax_Responder.php:31

authwp_ajax_update_track_viewymc2\src\frontend\FG_Ajax_Responder.php:33

noprivwp_ajax_update_track_viewymc2\src\frontend\FG_Ajax_Responder.php:34

authwp_ajax_get_filter_search_termsymc2\src\frontend\FG_Ajax_Responder.php:36

noprivwp_ajax_get_filter_search_termsymc2\src\frontend\FG_Ajax_Responder.php:37

Shortcodes 4

[ymc_filter] includes\core\frontend\Shortcode.php:22

[ymc_extra_filter] includes\core\frontend\Shortcode.php:23

[ymc_extra_search] includes\core\frontend\Shortcode.php:24

[ymc_extra_sort] includes\core\frontend\Shortcode.php:25

WordPress Hooks 59

actioninitincludes\core\admin\Cpt.php:15

filtermanage_edit-ymc_filters_columnsincludes\core\admin\Cpt.php:42

actionmanage_ymc_filters_posts_custom_columnincludes\core\admin\Cpt.php:58

filterymc_filter_layoutsincludes\core\admin\Filters.php:16

filterymc_post_layoutsincludes\core\admin\Filters.php:17

filterymc_featured_post_layoutincludes\core\admin\Filters.php:18

filterymc_pagination_typeincludes\core\admin\Filters.php:19

filterymc_order_post_byincludes\core\admin\Filters.php:20

filterymc_filter_fontincludes\core\admin\Filters.php:21

filterymc_post_fontincludes\core\admin\Filters.php:22

actionadmin_enqueue_scriptsincludes\core\admin\Load_Scripts.php:24

actionwp_enqueue_scriptsincludes\core\admin\Load_Scripts.php:25

actionwp_enqueue_scriptsincludes\core\admin\Load_Scripts.php:26

actionadd_meta_boxesincludes\core\admin\Meta_Boxes.php:14

actionadd_meta_boxesincludes\core\admin\Meta_Boxes.php:15

actionsave_post_ymc_filtersincludes\core\admin\Meta_Boxes.php:16

actionwp_dashboard_setupincludes\core\admin\Meta_Boxes.php:17

actionadmin_bar_menuincludes\core\admin\Meta_Boxes.php:18

actioncurrent_screenincludes\core\admin\Meta_Boxes.php:19

actionin_admin_headerincludes\core\admin\Meta_Boxes.php:31

filterposts_whereincludes\core\frontend\Get_Posts.php:337

actionplugins_loadedincludes\Plugin.php:180

filterupload_mimesymc2\src\admin\FG_Ajax_Admin.php:575

actionadmin_enqueue_scriptsymc2\src\admin\FG_Backend_Scripts.php:18

actionadmin_print_scriptsymc2\src\admin\FG_Backend_Scripts.php:19

filterscript_loader_tagymc2\src\admin\FG_Backend_Scripts.php:34

actionadmin_menuymc2\src\admin\FG_General_Settings.php:15

actionadmin_noticesymc2\src\admin\FG_General_Settings.php:17

actionadmin_post_plugin_settings_saveymc2\src\admin\FG_General_Settings.php:19

actionadd_meta_boxesymc2\src\admin\FG_Meta_Boxes.php:23

actionadd_meta_boxesymc2\src\admin\FG_Meta_Boxes.php:24

actioncurrent_screenymc2\src\admin\FG_Meta_Boxes.php:25

actionadmin_bar_menuymc2\src\admin\FG_Meta_Boxes.php:26

actionwp_dashboard_setupymc2\src\admin\FG_Meta_Boxes.php:27

filterpost_updated_messagesymc2\src\admin\FG_Meta_Boxes.php:28

actionadmin_body_classymc2\src\admin\FG_Meta_Boxes.php:68

actionin_admin_headerymc2\src\admin\FG_Meta_Boxes.php:69

actionadmin_body_classymc2\src\admin\FG_Meta_Boxes.php:73

actionin_admin_headerymc2\src\admin\FG_Meta_Boxes.php:74

filterhidden_meta_boxesymc2\src\admin\FG_Meta_Boxes.php:75

actionadmin_body_classymc2\src\admin\FG_Meta_Boxes.php:85

actionin_admin_headerymc2\src\admin\FG_Meta_Boxes.php:86

actioninitymc2\src\admin\FG_Post_Type.php:20

filtermanage_edit-ymc_filters_columnsymc2\src\admin\FG_Post_Type.php:63

actionmanage_ymc_filters_posts_custom_columnymc2\src\admin\FG_Post_Type.php:76

actionsave_post_ymc_filtersymc2\src\admin\FG_Save_Meta_Boxes.php:20

actionsave_postymc2\src\admin\FG_Save_Meta_Boxes.php:22

filterposts_joinymc2\src\frontend\FG_Ajax_Responder.php:875

filterposts_whereymc2\src\frontend\FG_Ajax_Responder.php:876

filterposts_distinctymc2\src\frontend\FG_Ajax_Responder.php:877

filterposts_whereymc2\src\frontend\FG_Ajax_Responder.php:1165

actionwp_enqueue_scriptsymc2\src\frontend\FG_Frontend_Scripts.php:19

actionwp_print_scriptsymc2\src\frontend\FG_Frontend_Scripts.php:20

actionwp_print_scriptsymc2\src\frontend\FG_Frontend_Scripts.php:21

filterscript_loader_tagymc2\src\frontend\FG_Frontend_Scripts.php:37

filterymc_active_grid_idsymc2\src\frontend\FG_Popup_Manager.php:23

actionwp_footerymc2\src\frontend\FG_Popup_Manager.php:33

actionadmin_bar_menuymc2\src\frontend\FG_Shortcodes.php:32

actionplugins_loadedymc2\YMC_Filter_Grids.php:53

Maintenance & Trust

YMC Filter Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedMar 15, 2026

PHP min version7.2

Downloads153K

Community Trust

Rating96/100

Number of ratings30

Active installs5K

Alternatives

YMC Filter Alternatives

Ajax Smart Filter

ajax-smart-filter

100

Ajax Smart Filter is a powerful, professional, real-time AJAX filtering plugin for WordPress.

0 No CVEs

Post Grid Gutenberg Blocks for News, Magazines, Blog Websites – PostX

ultimate-post

A highly customizable plugin to create news, magazines, and any kind of blog site with post grid, post filter, post slider, and post blocks.

40K 23 CVEs

Post Grid

post-grid

Post Grid is a powerful WordPress plugin for creating customizable post grid layouts with advanced query options, allowing users to display posts dyna …

30K 2 unpatched

Category AJAX Filter – Advanced Filter for Posts & Custom Post Types

category-ajax-filter

Filter WordPress posts and custom post types by categories, tags, and taxonomies with AJAX-powered filtering — no page reload required.

6K 1 CVE

Jetpack Search

jetpack-search

100

Easily add cloud-powered instant search and filters to your website or WooCommerce store with advanced algorithms that boost your search results based …

5K No CVEs

Developer Profile

YMC Filter Developer Profile

YMC

2 plugins · 5K total installs

trust score

Avg Security Score

95/100

Avg Patch Time

5 days

View full developer profile

Detection Fingerprints

How We Detect YMC Filter

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/ymc-smart-filter/includes/assets/css/admin.css/wp-content/plugins/ymc-smart-filter/includes/assets/js/admin.min.js/wp-content/plugins/ymc-smart-filter/includes/assets/js/updatePluginVer.js/wp-content/plugins/ymc-smart-filter/includes/assets/js/masonry.js/wp-content/plugins/ymc-smart-filter/includes/assets/js/script.min.js/wp-content/plugins/ymc-smart-filter/includes/assets/css/datepicker.css/wp-content/plugins/ymc-smart-filter/includes/assets/css/style.css

Script Paths

/wp-content/plugins/ymc-smart-filter/includes/assets/js/admin.min.js/wp-content/plugins/ymc-smart-filter/includes/assets/js/updatePluginVer.js/wp-content/plugins/ymc-smart-filter/includes/assets/js/masonry.js/wp-content/plugins/ymc-smart-filter/includes/assets/js/script.min.js

Version Parameters

ymc-smart-filter/includes/assets/css/admin.css?ver=ymc-smart-filter/includes/assets/js/admin.min.js?ver=ymc-smart-filter/includes/assets/js/updatePluginVer.js?ver=ymc-smart-filter/includes/assets/js/masonry.js?ver=ymc-smart-filter/includes/assets/js/script.min.js?ver=ymc-smart-filter/includes/assets/css/datepicker.css?ver=ymc-smart-filter/includes/assets/css/style.css?ver=

HTML / DOM Fingerprints

CSS Classes

ymc-smart-filter-wrapymc-smart-filter-filter-wrapymc-smart-filter-filter-contentymc-smart-filter-content-wrapymc-smart-filter-itemymc-smart-filter-loading

Data Attributes

data-ymc-smart-filter-iddata-ymc-smart-filter-wrap-iddata-ymc-smart-filter-instance

JS Globals

_smart_filter_object_ymc_fg_object

Shortcode Output

[ymc_filter][ymc_extra_filter][ymc_extra_search][ymc_extra_sort]

FAQ