CVE-2026-3830 PUBLISHED

Product Filter for WooCommerce by WBW < 3.1.3 - Unauthenticated SQLi

Assigner: WPScan
Reserved: 09.03.2026 Published: 13.04.2026 Updated: 13.04.2026

The Product Filter for WooCommerce by WBW WordPress plugin before 3.1.3 does not sanitize and escape a parameter before using it in a SQL statement, allowing unauthenticated users to perform SQL injection attacks

Product Status

Vendor	Unknown
Product	Product Filter for WooCommerce by WBW
Versions	Default: unaffected affected from 0 to 3.1.3 (excl.)

Credits

mcdruid finder
WPScan coordinator

References

https://wpscan.com/vulnerability/768014fd-0403-4182-b19e-3d46c92d8755/

Problem Types

CWE-89 SQL Injection CWE