{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3830", "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "state": "PUBLISHED", "assignerShortName": "WPScan", "dateReserved": "2026-03-09T12:31:36.985Z", "datePublished": "2026-04-13T06:00:13.287Z", "dateUpdated": "2026-04-13T12:56:39.504Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "shortName": "WPScan", "dateUpdated": "2026-04-13T06:00:13.287Z"}, "title": "Product Filter for WooCommerce by WBW < 3.1.3 - Unauthenticated SQLi", "problemTypes": [{"descriptions": [{"description": "CWE-89 SQL Injection", "lang": "en", "type": "CWE"}]}], "affected": [{"vendor": "Unknown", "product": "Product Filter for WooCommerce by WBW", "versions": [{"status": "affected", "versionType": "semver", "version": "0", "lessThan": "3.1.3"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Product Filter for WooCommerce by WBW WordPress plugin before 3.1.3 does not sanitize and escape a parameter before using it in a SQL statement, allowing unauthenticated users to perform SQL injection attacks"}], "references": [{"url": "https://wpscan.com/vulnerability/768014fd-0403-4182-b19e-3d46c92d8755/", "tags": ["exploit", "vdb-entry", "technical-description"]}], "credits": [{"lang": "en", "value": "mcdruid", "type": "finder"}, {"lang": "en", "value": "WPScan", "type": "coordinator"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "WPScan CVE Generator"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-89", "lang": "en", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-13T12:56:36.941075Z", "id": "CVE-2026-3830", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T12:56:39.504Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-3830", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-13T12:56:36.941075Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T12:56:29.855Z"}}], "cna": {"title": "Product Filter for WooCommerce by WBW < 3.1.3 - Unauthenticated SQLi", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "mcdruid"}, {"lang": "en", "type": "coordinator", "value": "WPScan"}], "affected": [{"vendor": "Unknown", "product": "Product Filter for WooCommerce by WBW", "versions": [{"status": "affected", "version": "0", "lessThan": "3.1.3", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://wpscan.com/vulnerability/768014fd-0403-4182-b19e-3d46c92d8755/", "tags": ["exploit", "vdb-entry", "technical-description"]}], "x_generator": {"engine": "WPScan CVE Generator"}, "descriptions": [{"lang": "en", "value": "The Product Filter for WooCommerce by WBW WordPress plugin before 3.1.3 does not sanitize and escape a parameter before using it in a SQL statement, allowing unauthenticated users to perform SQL injection attacks"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "description": "CWE-89 SQL Injection"}]}], "providerMetadata": {"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "shortName": "WPScan", "dateUpdated": "2026-04-13T06:00:13.287Z"}}}, "cveMetadata": {"cveId": "CVE-2026-3830", "state": "PUBLISHED", "dateUpdated": "2026-04-13T12:56:39.504Z", "dateReserved": "2026-03-09T12:31:36.985Z", "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "datePublished": "2026-04-13T06:00:13.287Z", "assignerShortName": "WPScan"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Product Filter for WooCommerce by WBW WordPress plugin before 3.1.3 does not sanitize and escape a parameter before using it in a SQL statement, allowing unauthenticated users to perform SQL injection attacks"}], "id": "CVE-2026-3830", "lastModified": "2026-04-15T15:05:47.827", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.0, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-13T07:16:50.270", "references": [{"source": "contact@wpscan.com", "url": "https://wpscan.com/vulnerability/768014fd-0403-4182-b19e-3d46c92d8755/"}], "sourceIdentifier": "contact@wpscan.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.1.3)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "Product Filter for WooCommerce by WBW", "source": "cna", "vendor": "Unknown"}, "product": "product_filter_for_woocommerce", "vendor": "wbw"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-13T14:39:41.423610+00:00", "value": {"mitigation_remediation": ["Update Product Filter for WooCommerce to version 3.1.3 or later.", "If an update is not immediately possible, disable or remove the plugin from the WordPress installation.", "Apply general WordPress hardening practices, such as restricting file permissions and monitoring database activity logs for suspicious queries."], "summary": {"action": "Immediate Patch", "impact": "Unauthenticated SQL Injection"}, "threat_synthesis": {"affected_systems": "Any WordPress site that has installed Product Filter for WooCommerce by WBW and is running a version older than 3.1.3 is vulnerable. No other product versions or vendors are listed, and the vendor publisher is not identified.", "description_and_impact": "A flaw in the Product Filter for WooCommerce WordPress plugin before version 3.1.3 allows an unauthenticated user to submit a crafted request that bypasses input sanitization and injects arbitrary SQL code. This unauthorized injection can read, alter or delete any database table accessed by the plugin, thereby compromising data confidentiality and integrity. The weakness is a classic input validation flaw identified by CWE-89.", "risk_and_exploitability": "The CVSS score of 8.6 indicates high severity, while the exceptionally low EPSS score (<1%) suggests that exploitation attempts are unlikely at present. Nevertheless the vulnerability is not cataloged by CISA\u2019s KEV list, implying it is not yet widely exploited. Attackers can craft an HTTP request to the plugin\u2019s parameter without needing credentials, thereby enabling remote SQL injection. Successful exploitation would grant the attacker wide-reaching database access and could lead to data theft, modification, or denial of service."}}}}, "created": "2026-04-13T12:36:58.386506+00:00", "updated": "2026-04-14T16:35:23.732032+00:00", "vendors": ["wbw", "wbw$PRODUCT$product_filter_for_woocommerce", "wordpress", "wordpress$PRODUCT$wordpress"]}