Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WBW Plugins Product Filter by WBW allows Blind SQL Injection.

This issue affects Product Filter by WBW: from n/a through 3.1.2.
Published: 2026-06-11
Score: 9.3 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The WBW Plugins Product Filter by WBW plugin has a blind SQL injection flaw, identified as CWE‑89, due to improper neutralization of special elements in SQL commands. This vulnerability allows an attacker to inject arbitrary SQL statements, potentially enabling unauthorized read, modification, or deletion of database data, which could compromise site confidentiality, integrity, and possibly elevate privileges.

Affected Systems

All releases of the WP Product Filter by WBW plugin from the initial version through 3.1.2 are affected. WordPress installations using any of these versions are vulnerable until an update to at least 3.1.3 is applied.

Risk and Exploitability

The CVSS score of 9.3 signals a high severity flaw, while EPSS data is not available and the issue is not listed in the CISA KEV catalog, indicating no confirmed public exploitation to date. The likely attack vector is via publicly accessible product-filter inputs, where crafted requests can trigger the blind SQL injection without user authentication. Successful exploitation could grant full SQL execution rights against the database, exposing sensitive data and facilitating further attacks.

Generated by OpenCVE AI on June 11, 2026 at 22:51 UTC.

Remediation

Vendor Solution

Update the WordPress Product Filter by WBW Plugin to the latest available version (at least 3.1.3).

OpenCVE Recommended Actions

  • Update the WBW Plugins Product Filter by WBW to version 3.1.3 or later to remove the vulnerability.
  • Disable or restrict the product-filter endpoint to trusted users only until the patch can be applied.
  • Implement or enforce input sanitization rules for any remaining plugin-related query parameters to mitigate potential injection vectors.

Generated by OpenCVE AI on June 11, 2026 at 22:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 11 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WBW Plugins Product Filter by WBW allows Blind SQL Injection. This issue affects Product Filter by WBW: from n/a through 3.1.2.
Title WordPress Product Filter by WBW plugin <= 3.1.2 - SQL Injection vulnerability
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-11T21:05:40.175Z

Reserved: 2026-04-07T10:47:43.843Z

Link: CVE-2026-39494

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-11T22:16:56.207

Modified: 2026-06-11T22:16:56.207

Link: CVE-2026-39494

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-11T23:00:14Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')