Skip to main content

Product Filter by WBW CVE-2026-39494

| EUVDEUVD-2026-36360 CRITICAL
SQL Injection (CWE-89)
2026-06-11 Patchstack GHSA-hg8f-fjxw-frxj
9.3
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
9.3 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
vuln.today AI
9.3 CRITICAL

Network-reachable WordPress plugin endpoint, no auth or UI required; blind SQLi enables DB read across schemas (S:C, C:H), with no direct write (I:N) and incidental query-load impact (A:L).

3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:L/SC:L/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 11, 2026 - 21:52 vuln.today

DescriptionCVE.org

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WBW Plugins Product Filter by WBW allows Blind SQL Injection.

This issue affects Product Filter by WBW: from n/a through 3.1.2.

AnalysisAI

Blind SQL injection in the WordPress plugin Product Filter by WBW (versions up to and including 3.1.2) allows unauthenticated remote attackers to inject arbitrary SQL into backend queries via crafted filter parameters. The CVSS 9.3 score reflects a scope-changed impact (S:C) where the WordPress database can be queried beyond the plugin's own context. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Technical ContextAI

Product Filter by WBW (also known as 'woo-product-filter') is a WooCommerce-oriented WordPress plugin that exposes product-filtering endpoints, typically rendered through AJAX handlers or shortcodes that build SQL queries against the wp_posts, wp_postmeta, and wp_terms tables. The CWE-89 root cause indicates that user-supplied filter values (likely attribute, taxonomy, price, or meta parameters) are concatenated into SQL rather than parameterized through $wpdb->prepare(), and Patchstack classifies it as 'blind' - meaning results are not directly returned, requiring boolean or time-based inference. The affected CPE 'cpe:2.3:a:wbw_plugins:product_filter_by_wbw:*' covers all releases through 3.1.2.

RemediationAI

No vendor-released patch version is cited in the supplied references, so the input data indicates Patch available per vendor advisory only - administrators should consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/woo-product-filter/vulnerability/wordpress-product-filter-by-wbw-plugin-3-1-2-sql-injection-vulnerability for the fixed release and upgrade Product Filter by WBW to a version newer than 3.1.2 once published. Until a patched build is installed, deactivate the plugin entirely (the cleanest mitigation, at the cost of losing the product-filter UI on storefronts), or enforce virtual patching via Patchstack/Wordfence/a WAF rule that blocks SQL metacharacters (UNION, SLEEP, BENCHMARK, quoted strings) in the plugin's filter AJAX endpoints - WAF rules carry false-positive risk against legitimate product searches with apostrophes. As a defense-in-depth measure, restrict the database user to the minimum required privileges so injected queries cannot pivot to other schemas, and audit wp_users / wp_options for unauthorized changes if the plugin has been exposed.

Share

CVE-2026-39494 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy