CVE-2026-3138
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Summary
The Product Filter for WooCommerce by WBW plugin for WordPress is vulnerable to unauthorized data loss due to a missing capability check in all versions up to, and including, 3.1.2. This is due to the plugin's MVC framework dynamically registering unauthenticated AJAX handlers via wp_ajax_nopriv_ hooks without verifying user capabilities, combined with the base controller's __call() magic method forwarding undefined method calls to the model layer, and the havePermissions() method defaulting to true when no permissions are explicitly defined. This makes it possible for unauthenticated attackers to truncate the plugin's wp_wpf_filters database table via a crafted AJAX request with action=delete, permanently destroying all filter configurations.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| woobewoo | Product Filter for WooCommerce by WBW | 0 <= 3.1.2 | affected |
Weaknesses
- CWE-862: CWE-862 Missing Authorization
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: yes
- Technical Impact: partial
References
- https://www.wordfence.com/threat-intel/vulnerabilities/id/085a4fae-c3f4-45f9-ab30-846c6297d04e?source=cve
- https://wordpress.org/plugins/woo-product-filter/
- https://plugins.trac.wordpress.org/browser/woo-product-filter/tags/3.1.0/classes/frame.php#L416
- https://plugins.trac.wordpress.org/browser/woo-product-filter/tags/3.1.0/classes/frame.php#L280
- https://plugins.trac.wordpress.org/browser/woo-product-filter/tags/3.1.0/classes/controller.php#L99
- https://plugins.trac.wordpress.org/browser/woo-product-filter/tags/3.1.0/classes/table.php#L345
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3487143%40woo-product-filter%2Ftrunk&old=3479545%40woo-product-filter%2Ftrunk&sfp_email=&sfph_mail=#file2
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.