Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Network-reachable WordPress plugin endpoint, no auth or UI required; blind SQLi enables DB read across schemas (S:C, C:H), with no direct write (I:N) and incidental query-load impact (A:L).
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Lifecycle Timeline
1DescriptionCVE.org
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WBW Plugins Product Filter by WBW allows Blind SQL Injection.
This issue affects Product Filter by WBW: from n/a through 3.1.2.
AnalysisAI
Blind SQL injection in the WordPress plugin Product Filter by WBW (versions up to and including 3.1.2) allows unauthenticated remote attackers to inject arbitrary SQL into backend queries via crafted filter parameters. The CVSS 9.3 score reflects a scope-changed impact (S:C) where the WordPress database can be queried beyond the plugin's own context. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Technical ContextAI
Product Filter by WBW (also known as 'woo-product-filter') is a WooCommerce-oriented WordPress plugin that exposes product-filtering endpoints, typically rendered through AJAX handlers or shortcodes that build SQL queries against the wp_posts, wp_postmeta, and wp_terms tables. The CWE-89 root cause indicates that user-supplied filter values (likely attribute, taxonomy, price, or meta parameters) are concatenated into SQL rather than parameterized through $wpdb->prepare(), and Patchstack classifies it as 'blind' - meaning results are not directly returned, requiring boolean or time-based inference. The affected CPE 'cpe:2.3:a:wbw_plugins:product_filter_by_wbw:*' covers all releases through 3.1.2.
RemediationAI
No vendor-released patch version is cited in the supplied references, so the input data indicates Patch available per vendor advisory only - administrators should consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/woo-product-filter/vulnerability/wordpress-product-filter-by-wbw-plugin-3-1-2-sql-injection-vulnerability for the fixed release and upgrade Product Filter by WBW to a version newer than 3.1.2 once published. Until a patched build is installed, deactivate the plugin entirely (the cleanest mitigation, at the cost of losing the product-filter UI on storefronts), or enforce virtual patching via Patchstack/Wordfence/a WAF rule that blocks SQL metacharacters (UNION, SLEEP, BENCHMARK, quoted strings) in the plugin's filter AJAX endpoints - WAF rules carry false-positive risk against legitimate product searches with apostrophes. As a defense-in-depth measure, restrict the database user to the minimum required privileges so injected queries cannot pivot to other schemas, and audit wp_users / wp_options for unauthorized changes if the plugin has been exposed.
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36360
GHSA-hg8f-fjxw-frxj