WP-Safety

WCAPF – Ajax Product Filter for WooCommerce Security & Risk Analysis

wordpress.org/plugins/wc-ajax-product-filter

Filter WooCommerce products by category, tag, attribute, price, rating, author, meta fields, and keyword using AJAX.

9K active installs v4.4.0 PHP 7.2+ WP 6.0+ Updated Mar 31, 2026
ajax-product-filterprice-filterproduct-filterwoocommerce-filterwoocommerce-product-filter
97
A · Safe
CVEs total1
Unpatched0
Last CVEApr 7, 2026
Plugin page Download
Safety Verdict

Is WCAPF – Ajax Product Filter for WooCommerce Safe to Use in 2026?

Generally Safe

Score 97/100

WCAPF – Ajax Product Filter for WooCommerce has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

1 known CVELast CVE: Apr 7, 2026Updated 1mo ago
Risk Assessment

The "wc-ajax-product-filter" plugin v4.3.0 presents a mixed security posture. On the positive side, it demonstrates good practices with a high percentage of SQL queries using prepared statements and a substantial amount of output being properly escaped. The absence of known CVEs and a clean vulnerability history are also favorable indicators. However, a significant concern lies in its attack surface, with 17 AJAX handlers, 14 of which lack authentication checks. This creates a considerable entry point for potential abuse. While taint analysis shows no critical or high-severity issues, one flow with an unsanitized path warrants attention, as it could lead to unexpected behavior if exploited.

The plugin's reliance on raw PHP functions for file operations, though only one instance, could also be a minor concern if not handled with utmost care. The presence of bundled jQuery, while common, implies a potential dependency on an external library that might have its own vulnerabilities, though no specific issues are indicated in the provided data. Overall, the plugin has a solid foundation in data handling and output sanitization, but the lack of robust authentication on a majority of its AJAX endpoints is a notable weakness that attackers could target.

Key Concerns

  • 14 unprotected AJAX handlers
  • 1 unsanitized path in taint analysis
  • 1 file operation instance
Vulnerabilities
1 published

WCAPF – Ajax Product Filter for WooCommerce Security Vulnerabilities

CVEs by Year

1 CVE in 2026
2026
Patched Has unpatched

Severity Breakdown

High
1

1 total CVE

CVE-2026-3396high · 7.5Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

WCAPF – WooCommerce Ajax Product Filter <= 4.2.3 - Unauthenticated Time-Based SQL Injection

Apr 7, 2026 Patched in 4.3.0 (1d)
Version History

WCAPF – Ajax Product Filter for WooCommerce Release Timeline

v4.4.0Current
v4.3.0
v4.2.31 CVE
CVE-2026-3396
v4.2.21 CVE
CVE-2026-3396
v4.2.11 CVE
CVE-2026-3396
v4.2.01 CVE
CVE-2026-3396
v4.1.01 CVE
CVE-2026-3396
v4.0.01 CVE
CVE-2026-3396
v3.3.21 CVE
CVE-2026-3396
v3.3.11 CVE
CVE-2026-3396
v3.3.01 CVE
CVE-2026-3396
v3.2.01 CVE
CVE-2026-3396
v3.1.01 CVE
CVE-2026-3396
v3.0.01 CVE
CVE-2026-3396
v2.0.31 CVE
CVE-2026-3396
v2.0.11 CVE
CVE-2026-3396
v2.01 CVE
CVE-2026-3396
v1.01 CVE
CVE-2026-3396
Code Analysis
Analyzed Mar 16, 2026

WCAPF – Ajax Product Filter for WooCommerce Code Analysis

Dangerous Functions
0
Raw SQL Queries
2
33 prepared
Unescaped Output
16
236 escaped
Nonce Checks
4
Capability Checks
9
File Operations
1
External Requests
0
Bundled Libraries
1

Bundled Libraries

jQuery

SQL Query Safety

94% prepared35 total queries

Output Escaping

94% escaped252 total outputs
Data Flows · Security
1 unsanitized

Data Flow Analysis

2 flows1 with unsanitized paths
save_settings (includes\hooks\class-wcapf-api.php:865)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
14 unprotected

WCAPF – Ajax Product Filter for WooCommerce Attack Surface

Entry Points21
Unprotected14

AJAX Handlers 17

authwp_ajax_wcapf_dismiss_review_noticesincludes\class-wcapf-admin.php:50
authwp_ajax_wcapf_get_terms_for_modalincludes\hooks\class-wcapf-api.php:51
authwp_ajax_wcapf_get_meta_values_for_modalincludes\hooks\class-wcapf-api.php:52
authwp_ajax_wcapf_get_post_authors_for_modalincludes\hooks\class-wcapf-api.php:53
authwp_ajax_wcapf_get_terms_for_dropdownincludes\hooks\class-wcapf-api.php:54
authwp_ajax_wcapf_get_authors_for_dropdownincludes\hooks\class-wcapf-api.php:55
authwp_ajax_wcapf_get_pages_for_dropdownincludes\hooks\class-wcapf-api.php:56
authwp_ajax_wcapf_get_products_for_dropdownincludes\hooks\class-wcapf-api.php:57
authwp_ajax_wcapf_create_sample_formincludes\hooks\class-wcapf-api.php:60
authwp_ajax_wcapf_get_form_dataincludes\hooks\class-wcapf-api.php:61
authwp_ajax_wcapf_add_formincludes\hooks\class-wcapf-api.php:62
authwp_ajax_wcapf_save_formincludes\hooks\class-wcapf-api.php:63
authwp_ajax_wcapf_delete_formincludes\hooks\class-wcapf-api.php:64
authwp_ajax_wcapf_delete_filterincludes\hooks\class-wcapf-api.php:65
authwp_ajax_wcapf_save_settingsincludes\hooks\class-wcapf-api.php:68
authwp_ajax_wcapf_dismiss_v4_migration_noticeincludes\migration\class-wcapf-v4-migration-hooks.php:60
authwp_ajax_wcapf_dismiss_v4_review_filters_noticeincludes\migration\class-wcapf-v4-migration-hooks.php:61

Shortcodes 4

[wcapf_active_filters] includes\shortcodes\class-wcapf-active-filters-shortcode.php:68
[wcapf_form] includes\shortcodes\class-wcapf-filter-form-shortcode.php:128
[wcapf_filter] includes\shortcodes\class-wcapf-filter-shortcode.php:59
[wcapf_reset_button] includes\shortcodes\class-wcapf-reset-button-shortcode.php:65
WordPress Hooks 50
actionadmin_menuincludes\class-wcapf-admin.php:42
actionadmin_menuincludes\class-wcapf-admin.php:43
actionin_admin_headerincludes\class-wcapf-admin.php:44
actionadmin_enqueue_scriptsincludes\class-wcapf-admin.php:45
actionadmin_headincludes\class-wcapf-admin.php:48
actionadmin_footerincludes\class-wcapf-admin.php:49
filterpre_wp_unique_post_slugincludes\class-wcapf-form-filters-utils.php:215
actionwp_enqueue_scriptsincludes\class-wcapf-frontend-scripts.php:63
actioninitincludes\class-wcapf-post-type.php:51
actionwcapf_form_savedincludes\hooks\class-wcapf-api.php:71
filterpre_wp_unique_post_slugincludes\hooks\class-wcapf-api.php:998
filterbody_classincludes\hooks\class-wcapf-hooks.php:51
actionwp_footerincludes\hooks\class-wcapf-hooks.php:52
filterredirect_canonicalincludes\hooks\class-wcapf-hooks.php:53
filterpaginate_linksincludes\hooks\class-wcapf-hooks.php:54
filterwoocommerce_redirect_single_search_resultincludes\hooks\class-wcapf-hooks.php:55
actionwoocommerce_before_shop_loopincludes\hooks\class-wcapf-hooks.php:56
actionwoocommerce_after_shop_loopincludes\hooks\class-wcapf-hooks.php:57
actionwoocommerce_before_template_partincludes\hooks\class-wcapf-hooks.php:58
actionwoocommerce_after_template_partincludes\hooks\class-wcapf-hooks.php:59
actionwoocommerce_before_shop_loopincludes\hooks\class-wcapf-hooks.php:60
actionwoocommerce_before_template_partincludes\hooks\class-wcapf-hooks.php:61
filterwcapf_form_filter_dataincludes\hooks\class-wcapf-hooks.php:62
actionwoocommerce_product_queryincludes\hooks\class-wcapf-hooks.php:63
filterposts_clausesincludes\hooks\class-wcapf-hooks.php:392
actionplugins_loadedincludes\hooks\class-wcapf-hooks.php:428
filterwcapf_get_post_author_argsincludes\hooks\class-wcapf-post-author-filter.php:51
filterwcapf_get_post_author_argsincludes\hooks\class-wcapf-post-author-filter.php:52
filterwcapf_field_filter_typeincludes\hooks\class-wcapf-rating-filter.php:51
filterwcapf_get_terms_argsincludes\hooks\class-wcapf-rating-filter.php:53
filterwcapf_taxonomy_termsincludes\hooks\class-wcapf-rating-filter.php:54
filterwcapf_taxonomy_filter_valuesincludes\hooks\class-wcapf-rating-filter.php:56
filterwcapf_active_taxonomy_filter_dataincludes\hooks\class-wcapf-rating-filter.php:57
filterwcapf_menu_itemsincludes\hooks\class-wcapf-rating-filter.php:59
filterwcapf_get_terms_argsincludes\hooks\class-wcapf-taxonomy-filter.php:51
filterwcapf_get_terms_argsincludes\hooks\class-wcapf-taxonomy-filter.php:52
filterwcapf_taxonomy_termsincludes\hooks\class-wcapf-taxonomy-filter.php:54
filterwcapf_taxonomy_filter_valuesincludes\hooks\class-wcapf-taxonomy-filter.php:56
filterwcapf_ancestors_of_active_termsincludes\hooks\class-wcapf-taxonomy-filter.php:57
filterwcapf_active_taxonomy_filter_dataincludes\hooks\class-wcapf-taxonomy-filter.php:58
actionadmin_initincludes\migration\class-wcapf-v4-migration-hooks.php:52
filterwcapf_admin_js_paramsincludes\migration\class-wcapf-v4-migration-hooks.php:54
actionadmin_noticesincludes\migration\class-wcapf-v4-migration-hooks.php:57
actionadmin_footerincludes\migration\class-wcapf-v4-migration-hooks.php:58
actionadmin_footerincludes\migration\class-wcapf-v4-migration-hooks.php:59
actionadmin_noticesincludes\migration\class-wcapf-v4-migration-hooks.php:67
actionwidgets_initincludes\widgets\class-wcapf-filter-widget.php:80
actionadmin_noticeswc-ajax-product-filter.php:59
actionwoocommerce_loadedwc-ajax-product-filter.php:60
actionwoocommerce_loadedwc-ajax-product-filter.php:352
Maintenance & Trust

WCAPF – Ajax Product Filter for WooCommerce Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 31, 2026
PHP min version7.2
Downloads191K

Community Trust

Rating86/100
Number of ratings44
Active installs9K
Alternatives

WCAPF – Ajax Product Filter for WooCommerce Alternatives

YITH WooCommerce Ajax Product Filter

YITH WooCommerce Ajax Product Filter

yith-woocommerce-ajax-navigation

A
97

YITH WooCommerce Ajax Product Filter offers you the perfect way to filter all products of your WooCommerce shop.

80K 3 CVEs
Dynamic AJAX Product Filters for WooCommerce

Dynamic AJAX Product Filters for WooCommerce

dynamic-ajax-product-filters-for-woocommerce

A
98

Dynamic AJAX Product Filters allow shoppers to quickly filter WooCommerce products by categories, attributes, prices, and more.

700 2 CVEs
Pofily – WooCommerce Product Filters

Pofily – WooCommerce Product Filters

pofily-woo-product-filters

A
100

Easily add customizable filters to WooCommerce products with Pofily. Tailor filters to customer needs for seamless product searches.

700 No CVEs
Product Filter for WooCommerce by WBW

Product Filter for WooCommerce by WBW

woo-product-filter

A
88

Filter products by categories, attributes, prices, and more. Elementor Compatibility. Shoppers easily find products with WooCommerce Product Filter

60K 9 CVEs
Filter Everything&nbsp;— WordPress & WooCommerce Filters

Filter Everything&nbsp;— WordPress & WooCommerce Filters

filter-everything

A
100

The most flexible filters plugin for WordPress & WooCommerce – filter anything.

50K No CVEs
Developer Profile

WCAPF – Ajax Product Filter for WooCommerce Developer Profile

Mainul Hassan

3 plugins · 9K total installs

92
trust score
Avg Security Score
89/100
Avg Patch Time
1 days
View full developer profile
Detection Fingerprints

How We Detect WCAPF – Ajax Product Filter for WooCommerce

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/wc-ajax-product-filter/assets/css/frontend.css/wp-content/plugins/wc-ajax-product-filter/assets/js/frontend.js
Script Paths
/wp-content/plugins/wc-ajax-product-filter/assets/js/frontend.js
Version Parameters
wc-ajax-product-filter/assets/css/frontend.css?ver=wc-ajax-product-filter/assets/js/frontend.js?ver=

HTML / DOM Fingerprints

CSS Classes
wcapf-filter-wrapper
HTML Comments
<!-- WCAPF Filter Start --><!-- WCAPF Filter End -->
Data Attributes
data-wcapf-attribute
JS Globals
wcapf_frontend_params
Shortcode Output
[wcapf_filter]
FAQ

Frequently Asked Questions about WCAPF – Ajax Product Filter for WooCommerce