CVE-2026-3830
SQL Injection in Product Filter for WooCommerce Plugin
Publication date: 2026-04-13
Last updated on: 2026-04-13
Assigner: WPScan
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wbw | product_filter_for_woocommerce | to 3.1.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-3830 is a critical security flaw in the WordPress plugin "Product Filter for WooCommerce by WBW" versions before 3.1.3. The vulnerability arises because the plugin does not properly sanitize and escape user-supplied parameters before using them in SQL queries.
This flaw allows unauthenticated attackers to perform SQL injection attacks by sending specially crafted AJAX requests that manipulate filter parameters. These malicious requests can execute arbitrary SQL commands on the backend database.
The vulnerability affects parameters such as those within the "settings[filters][order]" JSON structure and impacts plugin actions like "drawFilterAjax" and "filtersFrontend." It is classified as CWE-89 and corresponds to the OWASP Top 10 category A1: Injection.
How can this vulnerability impact me? :
This vulnerability can have severe impacts because it allows unauthenticated attackers to execute arbitrary SQL commands on your website's database.
- Attackers could extract sensitive data from the database.
- They might modify or delete data, causing data loss or corruption.
- It could lead to unauthorized access or control over the website.
- Attackers could disrupt website functionality or cause denial of service by exploiting SQL commands like SLEEP().
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by sending crafted AJAX requests to the affected WordPress plugin endpoints, such as the "drawFilterAjax" action, with malicious payloads in parameters like "settings[filters][order]" to test for SQL injection.
A common detection method involves using curl commands that inject SQL code to induce delays, such as using the SQL SLEEP() function, to confirm the presence of the SQL injection vulnerability.
For example, a proof-of-concept curl command can be constructed to send a request with a payload that triggers a delay if the injection is successful, indicating the vulnerability.
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to update the Product Filter for WooCommerce by WBW plugin to version 3.1.3 or later, where the issue has been fixed.
Until the update can be applied, consider restricting access to the vulnerable AJAX endpoints or implementing web application firewall (WAF) rules to block malicious payloads targeting the affected parameters.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability CVE-2026-3830 allows unauthenticated attackers to perform SQL injection attacks on the backend database of the affected WordPress plugin. Such unauthorized access and manipulation of database contents can lead to exposure or alteration of sensitive data.
This kind of security flaw can negatively impact compliance with common standards and regulations such as GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access and breaches.
Failure to properly sanitize inputs leading to SQL injection could result in data breaches, which are reportable incidents under these regulations, potentially causing legal and financial consequences for affected organizations.