Security Alert Summary
The Product Filter for WooCommerce by WBW WordPress plugin prior to version 3.1.3 contains an SQL injection vulnerability. The plugin fails to sanitize and escape a parameter before including it in a SQL statement, which can allow unauthenticated attackers to perform SQL injection against affected sites.
CVE Details
- CVE ID: CVE-2026-3830
- Affected component: Product Filter for WooCommerce by WBW WordPress plugin
- Affected versions: versions before 3.1.3
- Published: April 13, 2026, 7:16:50 AM
- Last modified: April 13, 2026, 3:01:43 PM
- CVSS v3.1: Base Score 8.6, Severity HIGH
- CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
- Authentication / Privileges / User Interaction: No authentication required; Privileges required: None; User interaction: None
- Primary impact: Confidentiality: High; Integrity: None; Availability: None
- Scope: Changed
- CWE: CWE-89 (SQL Injection)
Technical Details
The plugin does not sanitize and escape a parameter before using it in a SQL statement. This insufficient input handling results in an SQL injection vulnerability that can be triggered by unauthenticated users. The CVE description indicates the unsafe inclusion of user-supplied data into a database query without proper sanitization or parameterization.
Because the issue is an SQL injection, a successful exploit could allow an attacker to manipulate database query behavior to read sensitive information from the database. According to the provided CVSS data, the primary impact is confidentiality (data exposure); integrity and availability are not indicated as impacted.
How This Could Impact Your Website
In a typical WordPress setup, a site owner may install the Product Filter for WooCommerce to improve product navigation, while internal staff or external contractors manage products and content. An unauthenticated attacker exploiting this SQL injection could target the plugin’s input parameter to query the site database directly. Practical consequences include exposure of sensitive data such as internal user email addresses or other customer information stored in the database, which can increase the risk of targeted phishing or social engineering against staff or customers.
If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review.
Recommended Actions
- Update the affected plugin as soon as a patched version is available.
- Review and reduce unnecessary user roles, especially contributors.
- Enforce strong passwords and two-factor authentication for editors and administrators.
- Remove unused or unmaintained plugins.
- Monitor site activity and database access for unusual behavior.
If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.
