{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3138", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-02-24T17:37:54.106Z", "datePublished": "2026-03-24T04:27:49.387Z", "dateUpdated": "2026-03-24T15:12:19.084Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-03-24T04:27:49.387Z"}, "affected": [{"vendor": "woobewoo", "product": "Product Filter for WooCommerce by WBW", "versions": [{"version": "*", "status": "affected", "lessThanOrEqual": "3.1.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Product Filter for WooCommerce by WBW plugin for WordPress is vulnerable to unauthorized data loss due to a missing capability check in all versions up to, and including, 3.1.2. This is due to the plugin's MVC framework dynamically registering unauthenticated AJAX handlers via `wp_ajax_nopriv_` hooks without verifying user capabilities, combined with the base controller's `__call()` magic method forwarding undefined method calls to the model layer, and the `havePermissions()` method defaulting to `true` when no permissions are explicitly defined. This makes it possible for unauthenticated attackers to truncate the plugin's `wp_wpf_filters` database table via a crafted AJAX request with `action=delete`, permanently destroying all filter configurations."}], "title": "Product Filter for WooCommerce by WBW <= 3.1.2 - Missing Authorization to Unauthenticated Filter Data Deletion via TRUNCATE TABLE", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/085a4fae-c3f4-45f9-ab30-846c6297d04e?source=cve"}, {"url": "https://wordpress.org/plugins/woo-product-filter/"}, {"url": "https://plugins.trac.wordpress.org/browser/woo-product-filter/tags/3.1.0/classes/frame.php#L416"}, {"url": "https://plugins.trac.wordpress.org/browser/woo-product-filter/tags/3.1.0/classes/frame.php#L280"}, {"url": "https://plugins.trac.wordpress.org/browser/woo-product-filter/tags/3.1.0/classes/controller.php#L99"}, {"url": "https://plugins.trac.wordpress.org/browser/woo-product-filter/tags/3.1.0/classes/table.php#L345"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3487143%40woo-product-filter%2Ftrunk&old=3479545%40woo-product-filter%2Ftrunk&sfp_email=&sfph_mail=#file2"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "baseScore": 6.5, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Youssef Elouaer"}], "timeline": [{"time": "2026-02-24T17:53:05.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-03-23T16:11:48.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-24T14:10:53.151921Z", "id": "CVE-2026-3138", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T15:12:19.084Z"}}]}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Product Filter for WooCommerce by WBW plugin for WordPress is vulnerable to unauthorized data loss due to a missing capability check in all versions up to, and including, 3.1.2. This is due to the plugin's MVC framework dynamically registering unauthenticated AJAX handlers via `wp_ajax_nopriv_` hooks without verifying user capabilities, combined with the base controller's `__call()` magic method forwarding undefined method calls to the model layer, and the `havePermissions()` method defaulting to `true` when no permissions are explicitly defined. This makes it possible for unauthenticated attackers to truncate the plugin's `wp_wpf_filters` database table via a crafted AJAX request with `action=delete`, permanently destroying all filter configurations."}], "id": "CVE-2026-3138", "lastModified": "2026-03-24T15:53:48.067", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-03-24T05:16:23.727", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/woo-product-filter/tags/3.1.0/classes/controller.php#L99"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/woo-product-filter/tags/3.1.0/classes/frame.php#L280"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/woo-product-filter/tags/3.1.0/classes/frame.php#L416"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/woo-product-filter/tags/3.1.0/classes/table.php#L345"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3487143%40woo-product-filter%2Ftrunk&old=3479545%40woo-product-filter%2Ftrunk&sfp_email=&sfph_mail=#file2"}, {"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/woo-product-filter/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/085a4fae-c3f4-45f9-ab30-846c6297d04e?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.1.2]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Product Filter for WooCommerce by WBW", "source": "cna", "vendor": "woobewoo"}, "product": "product_filter_for_woocommerce_by_wbw", "vendor": "woobewoo"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-24T06:21:06.516623+00:00", "value": {"mitigation_remediation": ["Upgrade the Product Filter for WooCommerce by WBW plugin to version 3.1.3 or later."], "summary": {"action": "Immediate Patch", "impact": "Data Loss via Unauthenticated Table Truncation"}, "threat_synthesis": {"affected_systems": "WordPress sites running the Product Filter for WooCommerce by WBW plugin in any version up to and including 3.1.2 are affected. The vulnerability does not involve other plugins or core WordPress components. Any site using these versions of the plugin is at risk.", "description_and_impact": "The Product Filter for WooCommerce by WBW plugin for WordPress contains a missing capability check that allows attackers to send unauthenticated AJAX requests using the wp_ajax_nopriv_ hook. The plugin\u2019s controller forwards undefined method calls to the model through a magic __call() method, and default permission checks always return true when no explicit permissions are set. This combination lets an attacker issue a crafted request that executes a TRUNCATE TABLE command on the plugin\u2019s wp_wpf_filters database table, permanently deleting all filter configurations and causing irreversible data loss.", "risk_and_exploitability": "The CVSS score of 6.5 indicates a moderate severity vulnerability. The EPSS score is not available and the issue is not listed in the CISA KEV catalog. The likely attack vector is an unauthenticated web request\u2014an attacker can simply send the malicious AJAX call to the vulnerable plugin\u2019s endpoint without needing credentials or any prior compromise."}}}}, "created": "2026-03-24T10:29:02.712634+00:00", "updated": "2026-03-25T20:40:07.649884+00:00", "vendors": ["woobewoo", "woobewoo$PRODUCT$product_filter_for_woocommerce_by_wbw", "wordpress", "wordpress$PRODUCT$wordpress"]}