CVE-2026-3138
Description
The Product Filter for WooCommerce by WBW plugin for WordPress is vulnerable to unauthorized data loss due to a missing capability check in all versions up to, and including, 3.1.2. This is due to the plugin's MVC framework dynamically registering unauthenticated AJAX handlers via wp_ajax_nopriv_ hooks without verifying user capabilities, combined with the base controller's __call() magic method forwarding undefined method calls to the model layer, and the havePermissions() method defaulting to true when no permissions are explicitly defined. This makes it possible for unauthenticated attackers to truncate the plugin's wp_wpf_filters database table via a crafted AJAX request with action=delete, permanently destroying all filter configurations.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- Range: <=3.1.2
Patches
Vulnerability mechanics
References
7- plugins.trac.wordpress.org/browser/woo-product-filter/tags/3.1.0/classes/controller.phpnvd
- plugins.trac.wordpress.org/browser/woo-product-filter/tags/3.1.0/classes/frame.phpnvd
- plugins.trac.wordpress.org/browser/woo-product-filter/tags/3.1.0/classes/frame.phpnvd
- plugins.trac.wordpress.org/browser/woo-product-filter/tags/3.1.0/classes/table.phpnvd
- plugins.trac.wordpress.org/changesetnvd
- wordpress.org/plugins/woo-product-filter/nvd
- www.wordfence.com/threat-intel/vulnerabilities/id/085a4fae-c3f4-45f9-ab30-846c6297d04envd
News mentions
1- Wordfence Intelligence Weekly WordPress Vulnerability Report (March 23, 2026 to March 29, 2026)Wordfence Blog · Apr 2, 2026