Product Filter For Woocommerce By Wbw
Approved changes feed: RSS · Atom
cpe:2.3:a:woobewoo:product_filter_for_woocommerce_by_wbw:*:*:*:*:*:*:*:*
part: a version: * update: *
| Vendor | Woobewoo (0b879a1d-e77c-5146-bc64-232cd146e219) |
|---|---|
| Product | Product Filter For Woocommerce By Wbw (a4035b43-b6d0-5228-8cbc-d72e747d04c4) |
| Edition | * |
| Language | * |
| Software edition | * |
| Target software | * |
| Target hardware | * |
| Other | * |
| Notes | Imported from gcve-enriched-dumps CVE data |
PURL mappings
| PURL | Source | Last updated |
|---|---|---|
| No PURL mappings for this CPE yet. | ||
Vulnerability references
| Identifier | cpeApplicability | Submitted | db.gcve.eu details | Rationale |
|---|---|---|---|---|
CVE:CVE-2026-3138 |
vulnerable | 2026-06-08 08:01:17.919465 |
Product Filter for WooCommerce by WBW <= 3.1.2 - Missing Authorization to Unauthenticated Filter Data Deletion via TRUNCATE TABLE
MEDIUM (6.5)
The Product Filter for WooCommerce by WBW plugin for WordPress is vulnerable to unauthorized data loss due to a missing capability check in all versions up to, and including, 3.1.2. This is due to the plugin's MVC framework dynamically registering unauthenticated AJAX handlers via `wp_ajax_nopriv_` hooks without verifying user capabilities, combined with the base controller's `__call()` magic method forwarding undefined method calls to the model layer, and the `havePermissions()` method defaulting to `true` when no permissions are explicitly defined. This makes it possible for unauthenticated attackers to truncate the plugin's `wp_wpf_filters` database table via a crafted AJAX request with `action=delete`, permanently destroying all filter configurations.
Published: 2026-03-24T04:27:49.387Z
Updated: 2026-04-08T16:34:13.999Z Reference links
|
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-8416 |
vulnerable | 2026-06-08 07:45:20.110455 |
Product Filter by WBW <= 2.9.7 - Unauthenticated SQL Injection
HIGH (7.5)
The Product Filter by WBW plugin for WordPress is vulnerable to SQL Injection via the 'filtersDataBackend' parameter in all versions up to, and including, 2.9.7. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Published: 2025-10-25T06:49:24.974Z
Updated: 2026-04-08T17:25:09.376Z Reference links
|
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-2317 |
vulnerable | 2026-06-08 07:16:56.780622 |
Product Filter by WBW <= 2.7.9 - Unauthenticated SQL Injection via filtersDataBackend Parameter
HIGH (7.5)
The Product Filter by WBW plugin for WordPress is vulnerable to time-based SQL Injection via the filtersDataBackend parameter in all versions up to, and including, 2.7.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Published: 2025-04-04T05:22:43.213Z
Updated: 2026-04-08T16:45:21.311Z Reference links
|
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-11269 |
vulnerable | 2026-06-08 07:02:28.515465 |
Product Filter by WBW <= 3.0.0 - Missing Authorization to Unauthenticated Settings Update
MEDIUM (5.3)
The Product Filter by WBW plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'approveNotice' action in all versions up to, and including, 3.0.0. This makes it possible for unauthenticated attackers to update the plugin's settings.
Published: 2025-10-25T05:31:17.552Z
Updated: 2026-04-08T16:32:59.075Z Reference links
|
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-4444 |
vulnerable | 2026-06-08 05:38:09.458232 |
Product Filter by WooBeWoo <= 1.4.9 - Missing Authorization
HIGH (7.3)
The Product Filter by WooBeWoo plugin for WordPress is vulnerable to authorization bypass in versions up to, and including 1.4.9 due to missing authorization checks on various functions. This makes it possible for unauthenticated attackers to perform unauthorized actions such as creating new filters and injecting malicious javascript into a vulnerable site. This was actively exploited at the time of discovery.
Published: 2024-10-16T06:43:26.711Z
Updated: 2026-04-08T16:44:55.393Z |
Imported from gcve-enriched-dumps CVE data |
Contribute
You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.