CVE-2026-3138 - Vulnerability Details

- Product Filter for WooCommerce by WBW <= 3.1.2 - Missing Authorization to Unauthenticated Filter Data Deletion via TRUNCATE TABLE

Description

The Product Filter for WooCommerce by WBW plugin for WordPress is vulnerable to unauthorized data loss due to a missing capability check in all versions up to, and including, 3.1.2. This is due to the plugin's MVC framework dynamically registering unauthenticated AJAX handlers via `wp_ajax_nopriv_` hooks without verifying user capabilities, combined with the base controller's `__call()` magic method forwarding undefined method calls to the model layer, and the `havePermissions()` method defaulting to `true` when no permissions are explicitly defined. This makes it possible for unauthenticated attackers to truncate the plugin's `wp_wpf_filters` database table via a crafted AJAX request with `action=delete`, permanently destroying all filter configurations.

Published: 2026-03-24

Score: 6.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Product Filter for WooCommerce by WBW plugin for WordPress contains a missing capability check that allows attackers to send unauthenticated AJAX requests using the wp_ajax_nopriv_ hook. The plugin’s controller forwards undefined method calls to the model through a magic __call() method, and default permission checks always return true when no explicit permissions are set. This combination lets an attacker issue a crafted request that executes a TRUNCATE TABLE command on the plugin’s wp_wpf_filters database table, permanently deleting all filter configurations and causing irreversible data loss.

Affected Systems

WordPress sites running the Product Filter for WooCommerce by WBW plugin in any version up to and including 3.1.2 are affected. The vulnerability does not involve other plugins or core WordPress components. Any site using these versions of the plugin is at risk.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate severity vulnerability. The EPSS score is not available and the issue is not listed in the CISA KEV catalog. The likely attack vector is an unauthenticated web request—an attacker can simply send the malicious AJAX call to the vulnerable plugin’s endpoint without needing credentials or any prior compromise.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

woobewoo

Product Filter for WooCommerce by WBW

unaffected

Version	Status	Constraints
`0`	affected	≤ 3.1.2

No data.

Vendor Product Confidence Versions

Woobewoo

Product Filter For Woocommerce By Wbw

100%

Version	Status	Scheme	Platform
`[0,3.1.2]`	affected	semver	—

Wordpress

80%

Version	Status	Scheme	Platform
`—`	unaffected	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Product Filter for WooCommerce by WBW plugin to version 3.1.3 or later.

Generated by OpenCVE AI on March 24, 2026 at 06:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00052.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://plugins.trac.wordpress.org/browser/woo-product-filter/tags/3.1.0/classes/controller.php#L99
https://plugins.trac.wordpress.org/browser/woo-product-filter/tags/3.1.0/classes/frame.php#L280
https://plugins.trac.wordpress.org/browser/woo-product-filter/tags/3.1.0/classes/frame.php#L416
https://plugins.trac.wordpress.org/browser/woo-product-filter/tags/3.1.0/classes/table.php#L345
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3487143%40woo-product-filter%2Ftrunk&old=3479545%40woo-product-filter%2Ftrunk&sfp_email=&sfph_mail=#file2
https://wordpress.org/plugins/woo-product-filter/
https://www.wordfence.com/threat-intel/vulnerabilities/id/085a4fae-c3f4-45f9-ab30-846c6297d04e?source=cve

History

Tue, 24 Mar 2026 10:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Woobewoo Woobewoo product Filter For Woocommerce By Wbw Wordpress Wordpress wordpress
Vendors & Products		Woobewoo Woobewoo product Filter For Woocommerce By Wbw Wordpress Wordpress wordpress

Tue, 24 Mar 2026 05:15:00 +0000

Type	Values Removed	Values Added
Description		The Product Filter for WooCommerce by WBW plugin for WordPress is vulnerable to unauthorized data loss due to a missing capability check in all versions up to, and including, 3.1.2. This is due to the plugin's MVC framework dynamically registering unauthenticated AJAX handlers via `wp_ajax_nopriv_` hooks without verifying user capabilities, combined with the base controller's `__call()` magic method forwarding undefined method calls to the model layer, and the `havePermissions()` method defaulting to `true` when no permissions are explicitly defined. This makes it possible for unauthenticated attackers to truncate the plugin's `wp_wpf_filters` database table via a crafted AJAX request with `action=delete`, permanently destroying all filter configurations.
Title		Product Filter for WooCommerce by WBW <= 3.1.2 - Missing Authorization to Unauthenticated Filter Data Deletion via TRUNCATE TABLE
Weaknesses		CWE-862
References		https://plugins.trac.wordpress.org/browser/woo-product-filter/tags/3.1.0/classes/controller.php#L99 https://plugins.trac.wordpress.org/browser/woo-product-filter/tags/3.1.0/classes/frame.php#L280 https://plugins.trac.wordpress.org/browser/woo-product-filter/tags/3.1.0/classes/frame.php#L416 https://plugins.trac.wordpress.org/browser/woo-product-filter/tags/3.1.0/classes/table.php#L345 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3487143%40woo-product-filter%2Ftrunk&old=3479545%40woo-product-filter%2Ftrunk&sfp_email=&sfph_mail=#file2 https://wordpress.org/plugins/woo-product-filter/ https://www.wordfence.com/threat-intel/vulnerabilities/id/085a4fae-c3f4-45f9-ab30-846c6297d04e?source=cve
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L'}`

Subscriptions

Woobewoo Product Filter For Woocommerce By Wbw

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2026-03-24T04:27:49.387Z

Updated: 2026-04-08T16:34:13.999Z

Reserved: 2026-02-24T17:37:54.106Z

Link: CVE-2026-3138

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-03-24T05:16:23.727

Modified: 2026-03-24T15:53:48.067

Link: CVE-2026-3138

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-03-25T20:40:07Z

Weaknesses

CWE-862

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact Low

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object