{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3138", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-02-24T17:37:54.106Z", "datePublished": "2026-03-24T04:27:49.387Z", "dateUpdated": "2026-04-08T16:34:13.999Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:34:13.999Z"}, "affected": [{"vendor": "woobewoo", "product": "Product Filter for WooCommerce by WBW", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.1.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Product Filter for WooCommerce by WBW plugin for WordPress is vulnerable to unauthorized data loss due to a missing capability check in all versions up to, and including, 3.1.2. This is due to the plugin's MVC framework dynamically registering unauthenticated AJAX handlers via `wp_ajax_nopriv_` hooks without verifying user capabilities, combined with the base controller's `__call()` magic method forwarding undefined method calls to the model layer, and the `havePermissions()` method defaulting to `true` when no permissions are explicitly defined. This makes it possible for unauthenticated attackers to truncate the plugin's `wp_wpf_filters` database table via a crafted AJAX request with `action=delete`, permanently destroying all filter configurations."}], "title": "Product Filter for WooCommerce by WBW <= 3.1.2 - Missing Authorization to Unauthenticated Filter Data Deletion via TRUNCATE TABLE", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/085a4fae-c3f4-45f9-ab30-846c6297d04e?source=cve"}, {"url": "https://wordpress.org/plugins/woo-product-filter/"}, {"url": "https://plugins.trac.wordpress.org/browser/woo-product-filter/tags/3.1.0/classes/frame.php#L416"}, {"url": "https://plugins.trac.wordpress.org/browser/woo-product-filter/tags/3.1.0/classes/frame.php#L280"}, {"url": "https://plugins.trac.wordpress.org/browser/woo-product-filter/tags/3.1.0/classes/controller.php#L99"}, {"url": "https://plugins.trac.wordpress.org/browser/woo-product-filter/tags/3.1.0/classes/table.php#L345"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3487143%40woo-product-filter%2Ftrunk&old=3479545%40woo-product-filter%2Ftrunk&sfp_email=&sfph_mail=#file2"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "baseScore": 6.5, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Youssef Elouaer"}], "timeline": [{"time": "2026-02-24T17:53:05.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-03-23T16:11:48.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-24T14:10:53.151921Z", "id": "CVE-2026-3138", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T15:12:19.084Z"}}]}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Product Filter for WooCommerce by WBW plugin for WordPress is vulnerable to unauthorized data loss due to a missing capability check in all versions up to, and including, 3.1.2. This is due to the plugin's MVC framework dynamically registering unauthenticated AJAX handlers via `wp_ajax_nopriv_` hooks without verifying user capabilities, combined with the base controller's `__call()` magic method forwarding undefined method calls to the model layer, and the `havePermissions()` method defaulting to `true` when no permissions are explicitly defined. This makes it possible for unauthenticated attackers to truncate the plugin's `wp_wpf_filters` database table via a crafted AJAX request with `action=delete`, permanently destroying all filter configurations."}, {"lang": "es", "value": "El plugin Product Filter for WooCommerce by WBW para WordPress es vulnerable a la p\u00e9rdida de datos no autorizada debido a una comprobaci\u00f3n de capacidad faltante en todas las versiones hasta la 3.1.2, inclusive. Esto se debe a que el framework MVC del plugin registra din\u00e1micamente manejadores AJAX no autenticados a trav\u00e9s de hooks 'wp_ajax_nopriv_' sin verificar las capacidades del usuario, combinado con el m\u00e9todo m\u00e1gico '__call()' del controlador base que reenv\u00eda llamadas a m\u00e9todos indefinidos a la capa del modelo, y el m\u00e9todo 'havePermissions()' que por defecto es 'true' cuando no se definen permisos expl\u00edcitamente. Esto hace posible que atacantes no autenticados trunquen la tabla de la base de datos 'wp_wpf_filters' del plugin a trav\u00e9s de una solicitud AJAX manipulada con 'action=delete', destruyendo permanentemente todas las configuraciones de filtro."}], "id": "CVE-2026-3138", "lastModified": "2026-04-24T16:32:53.997", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-03-24T05:16:23.727", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/woo-product-filter/tags/3.1.0/classes/controller.php#L99"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/woo-product-filter/tags/3.1.0/classes/frame.php#L280"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/woo-product-filter/tags/3.1.0/classes/frame.php#L416"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/woo-product-filter/tags/3.1.0/classes/table.php#L345"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3487143%40woo-product-filter%2Ftrunk&old=3479545%40woo-product-filter%2Ftrunk&sfp_email=&sfph_mail=#file2"}, {"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/woo-product-filter/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/085a4fae-c3f4-45f9-ab30-846c6297d04e?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.1.2]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Product Filter for WooCommerce by WBW", "source": "cna", "vendor": "woobewoo"}, "product": "product_filter_for_woocommerce_by_wbw", "vendor": "woobewoo"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-24T06:21:06.516623+00:00", "value": {"mitigation_remediation": ["Upgrade the Product Filter for WooCommerce by WBW plugin to version 3.1.3 or later."], "summary": {"action": "Immediate Patch", "impact": "Data Loss via Unauthenticated Table Truncation"}, "threat_synthesis": {"affected_systems": "WordPress sites running the Product Filter for WooCommerce by WBW plugin in any version up to and including 3.1.2 are affected. The vulnerability does not involve other plugins or core WordPress components. Any site using these versions of the plugin is at risk.", "description_and_impact": "The Product Filter for WooCommerce by WBW plugin for WordPress contains a missing capability check that allows attackers to send unauthenticated AJAX requests using the wp_ajax_nopriv_ hook. The plugin\u2019s controller forwards undefined method calls to the model through a magic __call() method, and default permission checks always return true when no explicit permissions are set. This combination lets an attacker issue a crafted request that executes a TRUNCATE TABLE command on the plugin\u2019s wp_wpf_filters database table, permanently deleting all filter configurations and causing irreversible data loss.", "risk_and_exploitability": "The CVSS score of 6.5 indicates a moderate severity vulnerability. The EPSS score is not available and the issue is not listed in the CISA KEV catalog. The likely attack vector is an unauthenticated web request\u2014an attacker can simply send the malicious AJAX call to the vulnerable plugin\u2019s endpoint without needing credentials or any prior compromise."}}}}, "created": "2026-03-24T10:29:02.712634+00:00", "updated": "2026-03-25T20:40:07.649884+00:00", "vendors": ["woobewoo", "woobewoo$PRODUCT$product_filter_for_woocommerce_by_wbw", "wordpress", "wordpress$PRODUCT$wordpress"]}