We’re actively acquiring WordPress agencies. Sell your WordPress business to Freshy.
Let’s discuss

WordPress Security Bulletin: Product Filter for WooCommerce by WBW Plugin Vulnerability (CVE-2026-3138)

Nick Paliughi
On this page

Security Alert Summary

The Product Filter for WooCommerce by WBW plugin contains an unauthenticated vulnerability that can allow attackers to delete all saved filter configurations. The issue is caused by missing capability checks in the plugin’s AJAX handling and controller logic, which can be triggered via a crafted AJAX request.

CVE Details

  • CVE ID: CVE-2026-3138
  • Affected component: Product Filter for WooCommerce by WBW plugin for WordPress
  • Affected versions: All versions up to, and including, 3.1.2
  • Published: March 24, 2026 at 5:16:23 AM UTC
  • Last modified: March 24, 2026 at 3:53:48 PM UTC
  • CVSS v3.1: Base Score 6.5, Severity MEDIUM
    • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
    • Attack Vector: NETWORK
    • Attack Complexity: LOW
    • Privileges Required: NONE (unauthenticated)
    • User Interaction: NONE
    • Scope: UNCHANGED
    • Impact: Confidentiality: NONE; Integrity: LOW; Availability: LOW
  • Authentication / Privileges: Unauthenticated (no privileges required)
  • Primary impact: Partial loss of integrity and reduced availability of plugin-managed filter data
  • CWE / Weakness ID: CWE-862

Technical Details

This vulnerability exists because the plugin’s MVC framework dynamically registers unauthenticated AJAX handlers using wp_ajax_nopriv_ hooks without verifying user capabilities. The base controller implements a __call() magic method that forwards undefined method calls to the model layer, and the controller’s havePermissions() method defaults to true when no explicit permissions are defined. Together, these behaviors allow an unauthenticated request to reach model operations that modify the plugin data store.

Specifically, an attacker can send a crafted AJAX request with action=delete that invokes the plugin code paths which perform deletions on the wp_wpf_filters database table. Because capability checks are missing or default to allow access, the request can truncate that table and permanently remove all stored filter configurations.

How This Could Impact Your Website

In a typical scenario, a site owner has configured product filters used by customers to search and narrow product listings. Internal staff or an external contractor may have created many filter configurations for categories, price ranges, or attributes. An unauthenticated attacker exploiting this issue could delete those configurations without needing an account on the site.

Practical consequences include loss of filter settings, degraded shopping and search functionality, and the need to manually reconstruct filter configurations. This can increase workload for site administrators and contractors and may temporarily reduce the usability of product listings for customers. The impact aligns with the stated CVSS impacts: integrity and availability are affected at a low level rather than indicating full site compromise.

If you9re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review your setup.

Recommended Actions

  • Monitor the plugin’s official page and security advisories for an available update and apply any patched version as soon as it is released.
  • Review and reduce unnecessary user roles and capabilities on your site, especially for contributor-level and similar roles.
  • Enforce strong passwords and two-factor authentication for editors and administrators.
  • Remove unused or unmaintained plugins to reduce your attack surface.
  • Monitor site activity and logs for unusual AJAX requests or rapid changes to plugin-specific database tables.

If you9d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.

References

Nick Paliughihttps://freshysites.com/team/nick-paliughi/
Nick was born in California and now resides in Lake Worth, FL. He has 10 years of experience building and maintaining sites in WordPress, which he is excited to put to use at Freshy. Prior to starting at Freshy in 2022 his focus was on WordPress security & malware removal. When he’s not tending to your website, Nick is installing exhibitions at art galleries and museums in Palm Beach County, and if he’s lucky surfing at the Lake Worth pier.

See our featured website design work

Check out some of the beautiful websites we’ve built for over 2,000 clients.

View projects

We offer WordPress support & maintenance

Shake the stress of ongoing maintenance with plans supported by our team of WordPress experts.

Learn more
Previous Post
WordPress Security Bulletin: WP DSGVO Tools (GDPR) Plugin Vulnerability (CVE-2026-4283)
Next Post
WordPress Security Bulletin: WP Job Portal Plugin Vulnerability (CVE-2026-4306)