Description
The Product Filter by WBW plugin for WordPress is vulnerable to SQL Injection via the 'filtersDataBackend' parameter in all versions up to, and including, 2.9.7. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Published: 2025-10-25
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Data Exposure via Unauthenticated SQL Injection
Action: Immediate Patch
AI Analysis

Impact

The Product Filter by WBW plugin for WordPress is vulnerable to SQL injection through the filtersDataBackend parameter in all versions up to 2.9.7. Because the input is not properly escaped or prepared, an attacker can append arbitrary SQL statements, allowing the extraction of sensitive data from the database. This vulnerability is a classic CWE-89 reflected injection and poses a significant confidentiality risk.

Affected Systems

All WordPress installations that use the WooCommerce Product Filter by WBW add‑on, with versions 2.9.7 or earlier. The vendor is woobewoo and any site not upgraded beyond 2.9.7 remains affected.

Risk and Exploitability

The CVSS base score of 7.5 places the flaw in the high severity range, underscoring the potential impact if exploited. The EPSS score of < 1% indicates a very low probability that a publicly available exploit is being used today, and the flaw is not yet listed in CISA's KEV catalog. Nevertheless, because the attack vector is unauthenticated and can be triggered via a crafted HTTP request to the plugin's backend endpoint, an attacker with network visibility or control of the site’s front‑end can attempt injection. No elevated privileges or special conditions are required, further lowering the barrier to exploitation.

Generated by OpenCVE AI on April 20, 2026 at 21:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the plugin to a version that has been patched, according to the vendor’s advisories.
  • If an immediate upgrade is not possible, block unauthenticated access to the filtersDataBackend endpoint by configuring the web server to require authentication or by using firewall rules to restrict the relevant URL.
  • Review the database for any unauthorized data that may have been exfiltrated, consider rotating database credentials, and enable database query logs to detect anomalous activity.

Generated by OpenCVE AI on April 20, 2026 at 21:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Oct 2025 22:30:00 +0000

Type Values Removed Values Added
First Time appeared Woobewoo
Woobewoo product Filter
Wordpress
Wordpress wordpress
Vendors & Products Woobewoo
Woobewoo product Filter
Wordpress
Wordpress wordpress

Mon, 27 Oct 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Sat, 25 Oct 2025 07:00:00 +0000

Type Values Removed Values Added
Description The Product Filter by WBW plugin for WordPress is vulnerable to SQL Injection via the 'filtersDataBackend' parameter in all versions up to, and including, 2.9.7. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Title Product Filter by WBW <= 2.9.7 - Unauthenticated SQL Injection
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Woobewoo Product Filter
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:25:09.376Z

Reserved: 2025-07-31T14:09:37.682Z

Link: CVE-2025-8416

cve-icon Vulnrichment

Updated: 2025-10-27T15:35:31.303Z

cve-icon NVD

Status : Deferred

Published: 2025-10-25T07:15:41.357

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-8416

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T21:45:18Z

Weaknesses