WordPress Plugin Vulnerabilities

Product Filter by WBW < 2.5.1 - Subscriber+ Table Data Access

Description

The Product Filter by WBW plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the getListForTbl() function hooked via AJAX in versions up to, and including, 2.5.0. This makes it possible for authenticated attackers, with subscriber-level access and above, to retrieve table data.

Affects Plugins

Plugin icon
woo-product-filter
Fixed in 2.5.1

References

CVE
CVE-2023-50877
URL
https://patchstack.com/database/vulnerability/woo-product-filter/wordpress-product-filter-by-wbw-plugin-2-5-0-broken-access-control-vulnerability

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Abdi Pranata
Verified
No
WPVDB ID
0d6d6077-2561-4411-a945-34491524f47f

Timeline

Publicly Published
2023-12-26 (about 2 years ago)
Added
2024-01-04 (about 2 years ago)
Last Updated
2024-01-04 (about 2 years ago)

Other

Published
Title
Published
2025-12-26
Title
CubeWP < 1.1.28 - Missing Authorization
Published
2024-04-29
Title
ReviewX < 1.6.22 - Missing Authorization
Published
2024-04-22
Title
ARForms < 6.4.1 - Missing Authorization to Arbitrary Plugin Activation/Deactivation
Published
2026-04-21
Title
Sendmachine for WordPress <= 1.0.20 - Unauthenticated SMTP Hijack to Privilege Escalation via manage_admin_requests
Published
2025-04-01
Title
Gift Cards for WooCommerce <= 1.5.8 - Missing Authorization