The jet-smart-filters plugin dynamically builds SQL queries by concatenating values directly, without using prepared statements. This can lead to SQL Injection if any value is not properly sanitized.