Description
WCAPF – WooCommerce Ajax Product Filter plugin is vulnerable to time-based SQL Injection via the 'post-author' parameter in all versions up to, and including, 4.2.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Published: 2026-04-08
Score: 7.5 High
EPSS: 17.0% Moderate
KEV: No
Impact: SQL injection allowing unauthenticated attackers to exfiltrate database data
Action: Patch
AI Analysis

Impact

The WCAPF – Ajax Product Filter plugin for WooCommerce contains a flaw where the user supplied 'post-author' parameter is not properly escaped in the SQL query. This vulnerability, coded as CWE‑89, permits time‑based SQL injection that can retrieve sensitive database information. Because the flaw is exploitable without authentication and relies only on sending a crafted HTTP request to the AJAX endpoint, it threatens the confidentiality and integrity of the site’s database contents.

Affected Systems

The flaw affects the WCAPF – Ajax Product Filter plugin distributed by shamimmoeen. All WordPress sites running any version of the plugin up to and including 4.2.3 are vulnerable. Sites that have not upgraded beyond 4.2.3 remain at risk until a patch is applied.

Risk and Exploitability

With a CVSS score of 7.5 the vulnerability is classified as high severity. The EPSS score of 17% indicates a moderate likelihood of exploitation. It is not listed in the CISA KEV catalog, but the unauthenticated, time‑based nature of the attack makes it possible to probe the database without detection. The attack is likely to target the AJAX product filter endpoint by manipulating the 'post-author' parameter, and no additional privileges are required to succeed.

Generated by OpenCVE AI on April 21, 2026 at 23:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Immediately upgrade the WCAPF – Ajax Product Filter plugin to the latest version (4.3.0 or later) where the SQL injection issue is resolved.
  • If an upgrade cannot be performed promptly, disable the Ajax product filter feature or remove the plugin altogether to eliminate the vulnerable endpoint.
  • Deploy or configure a web application firewall (e.g., Wordfence) to block SQL injection attempts on the 'post-author' parameter, adding a rule that rejects requests containing typical SQL payload patterns or time-delay functions.

Generated by OpenCVE AI on April 21, 2026 at 23:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Shamimmoeen
Shamimmoeen wcapf – Ajax Product Filter For Woocommerce
Wordpress
Wordpress wordpress
Vendors & Products Shamimmoeen
Shamimmoeen wcapf – Ajax Product Filter For Woocommerce
Wordpress
Wordpress wordpress

Wed, 08 Apr 2026 11:45:00 +0000

Type Values Removed Values Added
Description WCAPF – WooCommerce Ajax Product Filter plugin is vulnerable to time-based SQL Injection via the 'post-author' parameter in all versions up to, and including, 4.2.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Title WCAPF – WooCommerce Ajax Product Filter <= 4.2.3 - Unauthenticated Time-Based SQL Injection
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Shamimmoeen Wcapf – Ajax Product Filter For Woocommerce
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:53:21.100Z

Reserved: 2026-02-28T21:12:43.762Z

Link: CVE-2026-3396

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-04-08T12:16:21.763

Modified: 2026-04-24T18:05:09.240

Link: CVE-2026-3396

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T23:30:02Z

Weaknesses