CVE-2026-3830

Received Received - Intake

SQL Injection in Product Filter for WooCommerce Plugin

Publication date: 2026-04-13

Last updated on: 2026-04-13

Assigner: WPScan

Description

The Product Filter for WooCommerce by WBW WordPress plugin before 3.1.3 does not sanitize and escape a parameter before using it in a SQL statement, allowing unauthenticated users to perform SQL injection attacks

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-04-13

Last Modified

2026-04-13

Generated

2026-06-16

AI Q&A

2026-04-13

EPSS Evaluated

2026-06-15

NVD

CVE-2026-3830

EUVD

EUVD-2026-21881

Affected Vendors & Products

Vendor	Product	Version / Range
wbw	product_filter_for_woocommerce	to 3.1.3 (exc)

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-89	The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

CWE ID

Description

CWE-89

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

Executive Summary

CVE-2026-3830 is a critical security flaw in the WordPress plugin "Product Filter for WooCommerce by WBW" versions before 3.1.3. The vulnerability arises because the plugin does not properly sanitize and escape user-supplied parameters before using them in SQL queries.

This flaw allows unauthenticated attackers to perform SQL injection attacks by sending specially crafted AJAX requests that manipulate filter parameters. These malicious requests can execute arbitrary SQL commands on the backend database.

The vulnerability affects parameters such as those within the "settings[filters][order]" JSON structure and impacts plugin actions like "drawFilterAjax" and "filtersFrontend." It is classified as CWE-89 and corresponds to the OWASP Top 10 category A1: Injection.

Impact Analysis

This vulnerability can have severe impacts because it allows unauthenticated attackers to execute arbitrary SQL commands on your website's database.

Attackers could extract sensitive data from the database.
They might modify or delete data, causing data loss or corruption.
It could lead to unauthorized access or control over the website.
Attackers could disrupt website functionality or cause denial of service by exploiting SQL commands like SLEEP().

Detection Guidance

This vulnerability can be detected by sending crafted AJAX requests to the affected WordPress plugin endpoints, such as the "drawFilterAjax" action, with malicious payloads in parameters like "settings[filters][order]" to test for SQL injection.

A common detection method involves using curl commands that inject SQL code to induce delays, such as using the SQL SLEEP() function, to confirm the presence of the SQL injection vulnerability.

For example, a proof-of-concept curl command can be constructed to send a request with a payload that triggers a delay if the injection is successful, indicating the vulnerability.

Mitigation Strategies

The immediate step to mitigate this vulnerability is to update the Product Filter for WooCommerce by WBW plugin to version 3.1.3 or later, where the issue has been fixed.

Until the update can be applied, consider restricting access to the vulnerable AJAX endpoints or implementing web application firewall (WAF) rules to block malicious payloads targeting the affected parameters.

Compliance Impact

The vulnerability CVE-2026-3830 allows unauthenticated attackers to perform SQL injection attacks on the backend database of the affected WordPress plugin. Such unauthorized access and manipulation of database contents can lead to exposure or alteration of sensitive data.

This kind of security flaw can negatively impact compliance with common standards and regulations such as GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access and breaches.

Failure to properly sanitize inputs leading to SQL injection could result in data breaches, which are reportable incidents under these regulations, potentially causing legal and financial consequences for affected organizations.

Hi! I’m here to help you understand CVE-2026-3830. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

CVE-2026-3830

SQL Injection in Product Filter for WooCommerce Plugin

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart