Description
The Product Filter for WooCommerce by WBW WordPress plugin before 3.1.3 does not sanitize and escape a parameter before using it in a SQL statement, allowing unauthenticated users to perform SQL injection attacks
Published: 2026-04-13
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Database Compromise
Action: Apply Patch
AI Analysis

Impact

The Product Filter for WooCommerce plugin before version 3.1.3 fails to sanitize a user-supplied parameter, enabling unauthenticated SQL injection. Attackers can inject arbitrary SQL, potentially retrieving, modifying, or deleting database contents, jeopardizing confidential data and site integrity.

Affected Systems

WordPress sites using the Product Filter for WooCommerce plugin by WBW with versions older than 3.1.3 are affected.

Risk and Exploitability

Because the vulnerability is unauthenticated and exploits a publicly accessible input, the attack vector is likely remote via HTTP requests. The exploitation does not require additional privileges; any site visitor can send the malicious payload. Without a CVSS or EPSS score, the risk assessment relies on the inherent severity of unauthenticated SQL injection, which is high. The vulnerability is not currently listed in CISA’s KEV catalog, but the potential for data breaches remains significant.

Generated by OpenCVE AI on April 13, 2026 at 08:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Product Filter for WooCommerce plugin to version 3.1.3 or later.
  • If immediate update is not possible, restrict public access to the affected parameter until a patch is applied.
  • Implement a web application firewall to detect and block suspicious SQL injection attempts.
  • Review database logs for signs of unauthorized queries and take appropriate action.

Generated by OpenCVE AI on April 13, 2026 at 08:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 13 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-89
Metrics cvssV3_1

{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 13 Apr 2026 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Wbw
Wbw product Filter For Woocommerce
Wordpress
Wordpress wordpress
Vendors & Products Wbw
Wbw product Filter For Woocommerce
Wordpress
Wordpress wordpress

Mon, 13 Apr 2026 07:15:00 +0000

Type Values Removed Values Added
Description The Product Filter for WooCommerce by WBW WordPress plugin before 3.1.3 does not sanitize and escape a parameter before using it in a SQL statement, allowing unauthenticated users to perform SQL injection attacks
Title Product Filter for WooCommerce by WBW < 3.1.3 - Unauthenticated SQLi
References

Subscriptions

Wbw Product Filter For Woocommerce
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: WPScan

Published:

Updated: 2026-04-13T12:56:39.504Z

Reserved: 2026-03-09T12:31:36.985Z

Link: CVE-2026-3830

cve-icon Vulnrichment

Updated: 2026-04-13T12:56:29.855Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-13T07:16:50.270

Modified: 2026-04-13T15:01:43.663

Link: CVE-2026-3830

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-13T12:52:46Z

Weaknesses