GCVE - cpe:2.3:a:themify:woocommerce_product_filter:*:*:*:*:*:*:*:*

Approved changes feed: RSS · Atom

cpe:2.3:a:themify:woocommerce_product_filter:*:*:*:*:*:*:*:*

part: a version: * update: *

Vendor	Themify (`f684b9e7-8f88-51e9-b947-ef1fa0635887`)
Product	Woocommerce Product Filter (`30737a20-2297-550f-ab03-b271a42e10df`)
Edition	*
Language	*
Software edition	*
Target software	*
Target hardware	*
Other	*
Notes	Imported from purl2cpe mapping

PURL mappings

PURL	Source	Last updated
`pkg:github/wp-plugins/woocommerce-products-filter`	purl2cpe	2026-06-01 10:11:26.121108

Vulnerability references

Identifier	cpeApplicability	Submitted	db.gcve.eu details	Rationale
`CVE:CVE-2024-6027`	vulnerable	2026-06-03 14:58:01.475844	Themify - WooCommerce Product Filter <= 1.4.9 - Unauthenticated SQL Injection via conditions Parameter CRITICAL (9.8) The Themify – WooCommerce Product Filter plugin for WordPress is vulnerable to time-based SQL Injection via the ‘conditions’ parameter in all versions up to, and including, 1.4.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Published: 2024-06-21T09:39:38.125Z Updated: 2026-04-08T16:49:31.088Z Open on db.gcve.eu Reference links https://www.wordfence.com/threat-intel/vulnerabilities/id/451db756-9d62-4c8e-b735-e5e5207b81e3?source=cve https://plugins.trac.wordpress.org/browser/themify-wc-product-filter/trunk/public/class-wpf-public.php#L604 https://themify.org/changelogs/themify-wc-product-filter.txt https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3104239%40themify-wc-product-filter%2Ftrunk&old=3100861%40themify-wc-product-filter%2Ftrunk&sfp_email=&sfph_mail=#file2	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2024-2263`	vulnerable	2026-06-03 14:55:28.838150	WooCommerce Product Filter < 1.4.4 - Reflected XSS Themify WordPress plugin before 1.4.4 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin Published: 2024-04-01T05:00:02.150Z Updated: 2024-08-27T15:43:13.886Z Open on db.gcve.eu Reference links https://wpscan.com/vulnerability/ec092ed9-eb3e-40a7-a878-ab854104e290/	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2024-2262`	vulnerable	2026-06-03 14:55:28.835445	WooCommerce Product Filter < 1.4.4 - Filter Deletion via CSRF Themify WordPress plugin before 1.4.4 does not have CSRF check in its bulk action, which could allow attackers to make logged in users delete arbitrary filters via CSRF attack, granted they know the related filter slugs Published: 2024-04-01T05:00:01.688Z Updated: 2024-08-21T22:39:32.516Z Open on db.gcve.eu Reference links https://wpscan.com/vulnerability/30544377-b90d-4762-b38a-ec89bda0dfdc/	Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.