Description
WCAPF – WooCommerce Ajax Product Filter plugin is vulnerable to time-based SQL Injection via the 'post-author' parameter in all versions up to, and including, 4.2.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Published: 2026-04-08
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthenticated time‑based SQL injection enabling database data exfiltration
Action: Patch / Update
AI Analysis

Impact

The WCAPF – Ajax Product Filter plugin for WooCommerce contains a gateway that does not properly escape the user supplied 'post-author' parameter, allowing a time‑based SQL injection to be injected into the underlying database query. This weakness, identified as CWE‑89, permits an attacker to append arbitrary SQL that can probe and extract sensitive information from the database. As the vulnerability is exploitable by unauthenticated users and can reveal confidential data, it represents a serious threat to the confidentiality and integrity of the site’s data.

Affected Systems

The vulnerability affects the WCAPF – Ajax Product Filter for WooCommerce plugin released by shamimmoeen. All installed instances of the plugin with a version number of 4.2.3 or earlier are susceptible. Any WordPress site that has not upgraded beyond this version is at risk.

Risk and Exploitability

The CVSS score of 7.5 classifies the flaw as high severity. While an EPSS score is not available and it is not listed in the KEV database, the fact that it is unauthenticated and leverages a time‑based technique implies an attacker can probe the database without detection by forcing delay responses. The likely attack vector is the AJAX product filter endpoint, where the 'post-author' parameter is passed directly to the database. Exploitation requires only sending a crafted HTTP request; no additional privileges are necessary.

Generated by OpenCVE AI on April 8, 2026 at 12:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the WCAPF – Ajax Product Filter plugin to the latest available version that removes the unsanitized 'post-author' input.
  • If an immediate update is not possible, restrict unauthenticated access to the AJAX product filter endpoint or remove the 'post-author' parameter from the query altogether.
  • Consider implementing a web application firewall rule that blocks suspicious SQL injection patterns on the affected endpoint.
  • Verify that the WordPress core and other plugins are up‑to‑date to reduce the overall attack surface.

Generated by OpenCVE AI on April 8, 2026 at 12:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Shamimmoeen
Shamimmoeen wcapf – Ajax Product Filter For Woocommerce
Wordpress
Wordpress wordpress
Vendors & Products Shamimmoeen
Shamimmoeen wcapf – Ajax Product Filter For Woocommerce
Wordpress
Wordpress wordpress

Wed, 08 Apr 2026 11:45:00 +0000

Type Values Removed Values Added
Description WCAPF – WooCommerce Ajax Product Filter plugin is vulnerable to time-based SQL Injection via the 'post-author' parameter in all versions up to, and including, 4.2.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Title WCAPF – WooCommerce Ajax Product Filter <= 4.2.3 - Unauthenticated Time-Based SQL Injection
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Shamimmoeen Wcapf – Ajax Product Filter For Woocommerce
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:53:21.100Z

Reserved: 2026-02-28T21:12:43.762Z

Link: CVE-2026-3396

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-08T12:16:21.763

Modified: 2026-04-08T21:26:13.410

Link: CVE-2026-3396

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:39:46Z

Weaknesses