Description
Incorrect Privilege Assignment vulnerability in XforWooCommerce Product Filter for WooCommerce prdctfltr allows Privilege Escalation.This issue affects Product Filter for WooCommerce: from n/a through <= 9.1.2.
Published: 2026-02-20
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation via incorrect privilege assignment
Action: Immediate Patch
AI Analysis

Impact

The vulnerability in the XforWooCommerce Product Filter for WooCommerce plugin allows an attacker to improperly elevate privileges. The flaw stems from incorrect privilege assignment, enabling a lower‑privileged user to obtain higher level rights within the WordPress site. This is a classic example of CWE-266: Incorrect Privilege Assignment. Any escalation grants the attacker full control over the plugin and, potentially, deeper access to the WordPress backend, compromising confidentiality, integrity, and availability of site data.

Affected Systems

WordPress sites that use the XforWooCommerce Product Filter for WooCommerce plugin, specifically versions up to and including 9.1.2. All earlier releases are also affected, as the issue is present from the initial version through 9.1.2.

Risk and Exploitability

The CVSS score is 7.2, indicating a high severity. The EPSS score is less than 1%, suggesting that the probability of exploitation is low at present. It is not listed in the CISA KEV catalog. Based on the description, it is inferred that the attack vector is likely authenticated; a user with a normal WordPress role could trigger the flaw and raise their own privileges. The affected code path allows the attacker to gain capabilities beyond their current role, enabling further exploitation of the site.

Generated by OpenCVE AI on April 28, 2026 at 17:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Product Filter for WooCommerce plugin to a version newer than 9.1.2.
  • If an upgrade cannot be performed immediately, remove the capabilities that grant plugin control from non‑administrator roles, ensuring that only administrators can modify plugin settings.
  • Disable or delete the Product Filter for WooCommerce plugin entirely to eliminate the vulnerability.

Generated by OpenCVE AI on April 28, 2026 at 17:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}

 cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Fri, 27 Feb 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Xforwoocommerce
Xforwoocommerce product Filter For Woocommerce
Vendors & Products Wordpress
Wordpress wordpress
Xforwoocommerce
Xforwoocommerce product Filter For Woocommerce

Fri, 20 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Description Incorrect Privilege Assignment vulnerability in XforWooCommerce Product Filter for WooCommerce prdctfltr allows Privilege Escalation.This issue affects Product Filter for WooCommerce: from n/a through <= 9.1.2.
Title WordPress Product Filter for WooCommerce plugin <= 9.1.2 - Privilege Escalation vulnerability
Weaknesses CWE-266
References

Subscriptions

Wordpress Wordpress
Xforwoocommerce Product Filter For Woocommerce
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:39.701Z

Reserved: 2025-12-31T20:13:05.452Z

Link: CVE-2025-69378

cve-icon Vulnrichment

Updated: 2026-02-27T17:52:29.386Z

cve-icon NVD

Status : Deferred

Published: 2026-02-20T16:22:22.297

Modified: 2026-04-27T19:16:43.473

Link: CVE-2025-69378

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T17:45:16Z

Weaknesses