VYPR
← All advisories
High severity8.6NVD Advisory· Published Apr 13, 2026· Updated Apr 15, 2026

CVE-2026-3830

CVE-2026-3830

Description

The Product Filter for WooCommerce by WBW WordPress plugin before 3.1.3 does not sanitize and escape a parameter before using it in a SQL statement, allowing unauthenticated users to perform SQL injection attacks

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

The Product Filter for WooCommerce by WBW plugin before 3.1.3 is vulnerable to unauthenticated SQL injection, allowing attackers to execute arbitrary SQL queries.

The Product Filter for WooCommerce by WBW plugin for WordPress fails to sanitize and escape a parameter before using it in a SQL statement. This lack of input validation allows unauthenticated users to inject malicious SQL queries.

An attacker without any authentication can exploit this vulnerability by sending a specially crafted request to the vulnerable parameter. No special privileges or network access is required, making the attack surface broad and easily exploitable.

Successful exploitation of this SQL injection can lead to unauthorized reading, modification, or deletion of sensitive database content, including user credentials, posts, and configuration data. This could result in full compromise of the WordPress site.

The vulnerability has been addressed in version 3.1.3 of the plugin. Users are strongly advised to update to the latest version immediately to mitigate the risk [1].

References
  1. Product Filter for WooCommerce by WBW < 3.1.3 - Unauthenticated SQLi

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

1

News mentions

4