CVE-2025-8416
BaseFortify
Publication date: 2025-10-25
Last updated on: 2025-10-27
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wbw | product_filter | 2.9.8 |
| wbw | product_filter | 2.9.7 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the Product Filter by WBW WordPress plugin is an SQL Injection issue affecting all versions up to and including 2.9.7. It occurs via the 'filtersDataBackend' parameter, which is not properly escaped or prepared before being used in SQL queries. This allows unauthenticated attackers to inject additional SQL commands into existing queries, potentially extracting sensitive information from the database. [3]
How can this vulnerability impact me? :
This vulnerability can allow unauthenticated attackers to perform SQL Injection attacks, which may lead to unauthorized access to sensitive data stored in the database. Since the attacker can append SQL queries, they might extract confidential information without needing any authentication, posing a significant security risk to the affected website. [3]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability can negatively impact compliance with standards such as GDPR and HIPAA because it allows unauthorized access to sensitive personal or protected health information stored in the database. A successful SQL Injection attack could lead to data breaches, violating data protection requirements and potentially resulting in legal and financial penalties. [3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves checking if the WordPress site is running the Product Filter by WBW plugin version 2.9.7 or earlier and testing the 'filtersDataBackend' parameter for SQL Injection attempts. One approach is to send crafted HTTP requests to the vulnerable endpoint with SQL injection payloads in the 'filtersDataBackend' parameter and observe if the server responds with database errors or unexpected data. For example, using curl to send a test payload: curl -X POST -d 'filtersDataBackend=1 OR 1=1' https://yourwordpresssite.com/wp-admin/admin-ajax.php?action=woofilters_ajax. Additionally, scanning the site with vulnerability scanners that support WordPress plugins or using custom scripts to detect SQL Injection in this parameter can help. Monitoring logs for suspicious requests targeting 'filtersDataBackend' with SQL syntax is also recommended.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the Product Filter by WBW plugin to version 2.9.8 or later, where the vulnerability is fixed by sanitizing input parameters using intval to prevent SQL Injection. If updating is not immediately possible, restrict access to the affected AJAX endpoints or disable the plugin temporarily. Additionally, implement Web Application Firewall (WAF) rules to block malicious payloads targeting the 'filtersDataBackend' parameter. Regularly monitor and audit logs for suspicious activity related to this parameter. [3]