WordPress Plugin Vulnerabilities

Product Filter for WooCommerce by WBW < 3.1.3 - Unauthenticated SQLi

Description

The plugin does not sanitize and escape a parameter before using it in a SQL statement, allowing unauthenticated users to perform SQL injection attacks

Proof of Concept

Affects Plugins

Plugin icon
woo-product-filter
Fixed in 3.1.3

References

CVE
CVE-2026-3830

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
8.6 (high)

Miscellaneous

Original Researcher
mcdruid
Submitter
mcdruid
Verified
Yes
WPVDB ID
768014fd-0403-4182-b19e-3d46c92d8755

Timeline

Publicly Published
2026-03-23 (about 21 days ago)
Added
2026-03-23 (about 20 days ago)
Last Updated
2026-04-10 (about 2 days ago)

Other

Published
Title
Published
2024-01-18
Title
Stripe Payment Plugin for WooCommerce < 3.8.0 - Unauthenticated SQL Injection
Published
2022-04-25
Title
ARPrice Lite < 3.6.1 - Unauthenticated SQLi
Published
2022-04-25
Title
3xSocializer <= 0.98.22 - Subscriber+ SQLi
Published
2020-07-10
Title
SRS Simple Hits Counter 1.0.3 - 1.0.4 - Unauthenticated Blind SQL Injection
Published
2025-09-09
Title
Duplicate Page and Post <= 2.9.5 - Authenticated (Contributor+) SQL Injection via meta_key Parameter