Approved changes feed: RSS · Atom

cpe:2.3:a:woobewoo:product_filter_for_woocommerce_by_wbw:*:*:*:*:*:*:*:*

part: a version: * update: *

VendorWoobewoo (0b879a1d-e77c-5146-bc64-232cd146e219)
ProductProduct Filter For Woocommerce By Wbw (a4035b43-b6d0-5228-8cbc-d72e747d04c4)
Edition*
Language*
Software edition*
Target software*
Target hardware*
Other*
NotesImported from gcve-enriched-dumps CVE data

PURL mappings

PURLSourceLast updated
No PURL mappings for this CPE yet.

Vulnerability references

IdentifiercpeApplicabilitySubmitteddb.gcve.eu detailsRationale
CVE:CVE-2026-3138 vulnerable 2026-06-08 08:01:17.919465 Product Filter for WooCommerce by WBW <= 3.1.2 - Missing Authorization to Unauthenticated Filter Data Deletion via TRUNCATE TABLE
MEDIUM (6.5)
The Product Filter for WooCommerce by WBW plugin for WordPress is vulnerable to unauthorized data loss due to a missing capability check in all versions up to, and including, 3.1.2. This is due to the plugin's MVC framework dynamically registering unauthenticated AJAX handlers via `wp_ajax_nopriv_` hooks without verifying user capabilities, combined with the base controller's `__call()` magic method forwarding undefined method calls to the model layer, and the `havePermissions()` method defaulting to `true` when no permissions are explicitly defined. This makes it possible for unauthenticated attackers to truncate the plugin's `wp_wpf_filters` database table via a crafted AJAX request with `action=delete`, permanently destroying all filter configurations.
Published: 2026-03-24T04:27:49.387Z
Updated: 2026-04-08T16:34:13.999Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2025-8416 vulnerable 2026-06-08 07:45:20.110455 Product Filter by WBW <= 2.9.7 - Unauthenticated SQL Injection
HIGH (7.5)
The Product Filter by WBW plugin for WordPress is vulnerable to SQL Injection via the 'filtersDataBackend' parameter in all versions up to, and including, 2.9.7. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Published: 2025-10-25T06:49:24.974Z
Updated: 2026-04-08T17:25:09.376Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2025-2317 vulnerable 2026-06-08 07:16:56.780622 Product Filter by WBW <= 2.7.9 - Unauthenticated SQL Injection via filtersDataBackend Parameter
HIGH (7.5)
The Product Filter by WBW plugin for WordPress is vulnerable to time-based SQL Injection via the filtersDataBackend parameter in all versions up to, and including, 2.7.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Published: 2025-04-04T05:22:43.213Z
Updated: 2026-04-08T16:45:21.311Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2025-11269 vulnerable 2026-06-08 07:02:28.515465 Product Filter by WBW <= 3.0.0 - Missing Authorization to Unauthenticated Settings Update
MEDIUM (5.3)
The Product Filter by WBW plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'approveNotice' action in all versions up to, and including, 3.0.0. This makes it possible for unauthenticated attackers to update the plugin's settings.
Published: 2025-10-25T05:31:17.552Z
Updated: 2026-04-08T16:32:59.075Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2021-4444 vulnerable 2026-06-08 05:38:09.458232 Product Filter by WooBeWoo <= 1.4.9 - Missing Authorization
HIGH (7.3)
The Product Filter by WooBeWoo plugin for WordPress is vulnerable to authorization bypass in versions up to, and including 1.4.9 due to missing authorization checks on various functions. This makes it possible for unauthenticated attackers to perform unauthorized actions such as creating new filters and injecting malicious javascript into a vulnerable site. This was actively exploited at the time of discovery.
Published: 2024-10-16T06:43:26.711Z
Updated: 2026-04-08T16:44:55.393Z
Reference links
Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.