Description
The Product Filter for WooCommerce by WBW WordPress plugin before 3.1.3 does not sanitize and escape a parameter before using it in a SQL statement, allowing unauthenticated users to perform SQL injection attacks
Published: 2026-04-13
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthenticated SQL Injection
Action: Immediate Patch
AI Analysis

Impact

A flaw in the Product Filter for WooCommerce WordPress plugin before version 3.1.3 allows an unauthenticated user to submit a crafted request that bypasses input sanitization and injects arbitrary SQL code. This unauthorized injection can read, alter or delete any database table accessed by the plugin, thereby compromising data confidentiality and integrity. The weakness is a classic input validation flaw identified by CWE-89.

Affected Systems

Any WordPress site that has installed Product Filter for WooCommerce by WBW and is running a version older than 3.1.3 is vulnerable. No other product versions or vendors are listed, and the vendor publisher is not identified.

Risk and Exploitability

The CVSS score of 8.6 indicates high severity, while the exceptionally low EPSS score (<1%) suggests that exploitation attempts are unlikely at present. Nevertheless the vulnerability is not cataloged by CISA’s KEV list, implying it is not yet widely exploited. Attackers can craft an HTTP request to the plugin’s parameter without needing credentials, thereby enabling remote SQL injection. Successful exploitation would grant the attacker wide-reaching database access and could lead to data theft, modification, or denial of service.

Generated by OpenCVE AI on April 13, 2026 at 14:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Product Filter for WooCommerce to version 3.1.3 or later.
  • If an update is not immediately possible, disable or remove the plugin from the WordPress installation.
  • Apply general WordPress hardening practices, such as restricting file permissions and monitoring database activity logs for suspicious queries.

Generated by OpenCVE AI on April 13, 2026 at 14:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 13 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-89
Metrics cvssV3_1

{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 13 Apr 2026 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Wbw
Wbw product Filter For Woocommerce
Wordpress
Wordpress wordpress
Vendors & Products Wbw
Wbw product Filter For Woocommerce
Wordpress
Wordpress wordpress

Mon, 13 Apr 2026 07:15:00 +0000

Type Values Removed Values Added
Description The Product Filter for WooCommerce by WBW WordPress plugin before 3.1.3 does not sanitize and escape a parameter before using it in a SQL statement, allowing unauthenticated users to perform SQL injection attacks
Title Product Filter for WooCommerce by WBW < 3.1.3 - Unauthenticated SQLi
References

Subscriptions

Wbw Product Filter For Woocommerce
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: WPScan

Published:

Updated: 2026-04-13T12:56:39.504Z

Reserved: 2026-03-09T12:31:36.985Z

Link: CVE-2026-3830

cve-icon Vulnrichment

Updated: 2026-04-13T12:56:29.855Z

cve-icon NVD

Status : Deferred

Published: 2026-04-13T07:16:50.270

Modified: 2026-04-15T15:05:47.827

Link: CVE-2026-3830

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:35:23Z

Weaknesses