CVE-2026-3138

Vulnerability

Overview

The Product Filter for WooCommerce by WBW plugin for WordPress (versions up to and including 3.1.2) contains a missing capability check vulnerability that allows unauthenticated attackers to delete all stored filter configurations. The plugin's MVC framework dynamically registers AJAX handlers via wp_ajax_nopriv_ hooks without verifying user capabilities. Additionally, the base controller's __call() magic method forwards undefined method calls to the model layer, and the havePermissions() method defaults to true when no permissions are explicitly defined. This combination of flaws enables unauthorized data destruction.

Exploitation

An attacker can exploit this vulnerability by sending a crafted AJAX request with the action=delete parameter. No authentication is required, and the request can be made from any network position. The request triggers the deletion of the entire wp_wpf_filters database table, which stores all user-created filter configurations.

Impact

Successful exploitation results in the permanent loss of all filter configurations created by administrators and users. This can disrupt e-commerce sites that rely on product filtering, requiring manual restoration of filters from backups or reconfiguration from scratch. The vulnerability is classified as medium severity (CVSS 6.5) due to the potential for data loss without requiring authentication.

Mitigation

As of April 27, 2026, the plugin has been closed on the WordPress plugin repository pending a full review [1]. Users are advised to remove the plugin or apply any available updates if a patched version becomes available. No workaround is documented, so site administrators should ensure backups of the wp_wpf_filters table exist and consider disabling the plugin until a fix is released.