WP-Safety

Product Filter for WooCommerce by WBW Security & Risk Analysis

wordpress.org/plugins/woo-product-filter

Filter products by categories, attributes, prices, and more. Elementor Compatibility. Shoppers easily find products with WooCommerce Product Filter

60K active installs v3.1.2 PHP + WP 3.4.0+ Updated Mar 10, 2026
e-commerce-filterproduct-filtershop-filterwoocommerce-filterwoocommerce-product-filter
89
A · Safe
CVEs total6
Unpatched0
Last CVEOct 24, 2025
Plugin page Download
Safety Verdict

Is Product Filter for WooCommerce by WBW Safe to Use in 2026?

Generally Safe

Score 89/100

Product Filter for WooCommerce by WBW has a strong security track record. Known vulnerabilities have been patched promptly.

6 known CVEsLast CVE: Oct 24, 2025Updated 23d ago
Risk Assessment

The "woo-product-filter" v3.1.2 plugin exhibits a mixed security posture. While static analysis shows no identified entry points without authentication checks (AJAX, REST API, shortcodes) and a high percentage of properly escaped output, significant concerns remain. The presence of 16 dangerous function calls, notably "unserialize," presents a potential attack vector if not handled with extreme care, as it can lead to object injection vulnerabilities. The SQL query handling is also a point of concern, with 53% of queries not using prepared statements, increasing the risk of SQL injection, especially when combined with other potential weaknesses. The plugin's vulnerability history is substantial, with 6 known CVEs, all of which are currently patched. However, the historical prevalence of Missing Authorization and SQL Injection vulnerabilities indicates a pattern that requires ongoing vigilance from both the developer and users. The last recorded vulnerability being in the near future (2025-10-24) suggests a need for continuous security updates and auditing.

Despite the positive indicators like a lack of unprotected entry points and good output escaping, the identified dangerous functions and the significant portion of raw SQL queries are notable weaknesses. The vulnerability history, while currently patched, highlights recurring issues that have required significant attention. Users should be aware that while this version appears to have addressed past CVEs, the inherent code patterns like "unserialize" and less-than-ideal SQL practices warrant caution and prompt updates as new vulnerabilities may arise.

Key Concerns

  • 16 dangerous function calls found
  • 47% of SQL queries not using prepared statements
  • 6 known CVEs in history (even if patched)
  • Historical SQL Injection vulnerabilities
  • Historical Missing Authorization vulnerabilities
Vulnerabilities
6

Product Filter for WooCommerce by WBW Security Vulnerabilities

CVEs by Year

1 CVE in 2021
2021
1 CVE in 2023
2023
1 CVE in 2024
2024
3 CVEs in 2025
2025
Patched Has unpatched

Severity Breakdown

High
3
Medium
3

6 total CVEs

CVE-2025-11269medium · 5.3Missing Authorization

Product Filter by WBW <= 3.0.0 - Missing Authorization to Unauthenticated Settings Update

Oct 24, 2025 Patched in 3.0.1 (1d)
CVE-2025-8416high · 7.5Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Product Filter by WBW <= 2.9.7 - Unauthenticated SQL Injection

Oct 24, 2025 Patched in 2.9.8 (1d)
CVE-2025-2317high · 7.5Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Product Filter by WBW <= 2.7.9 - Unauthenticated SQL Injection via filtersDataBackend Parameter

Apr 3, 2025 Patched in 2.8.0 (1d)
CVE-2024-49691medium · 4.9Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Product Filter by WBW <= 2.7.0 - Authenticated (Administrator+) SQL Injection

Oct 21, 2024 Patched in 2.7.1 (10d)
CVE-2023-50877medium · 4.3Missing Authorization

Product Filter by WBW <= 2.5.0 - Missing Authorization via getListForTbl

Dec 26, 2023 Patched in 2.5.1 (28d)
CVE-2021-4444high · 7.3Missing Authorization

Product Filter by WooBeWoo <= 1.4.9 - Missing Authorization

May 7, 2021 Patched in 1.5.0 (1258d)
Code Analysis
Analyzed Mar 16, 2026

Product Filter for WooCommerce by WBW Code Analysis

Dangerous Functions
16
Raw SQL Queries
8
7 prepared
Unescaped Output
113
894 escaped
Nonce Checks
13
Capability Checks
11
File Operations
9
External Requests
4
Bundled Libraries
1

Dangerous Functions Found

unserialize$modDataArr = unserialize(WPF_PRO_MODULES);classes\modInstaller.php:154
unserializereturn unserialize($data);classes\utils.php:16
unserialize$valuesArr = ( 7 == $keyType ? $values['meta_value'] : @unserialize($values['meta_value']) );modules\meta\models\meta.php:343
unserialize$valuesArr = @unserialize($values['meta_value']);modules\meta\models\meta.php:692
unserialize$filtersSettings = unserialize( $filter['setting_data'] );modules\options\mod.php:46
unserialize$settings = unserialize($filter['setting_data']);modules\woofilters\controller.php:85
unserialize$settings = unserialize($filter['setting_data']);modules\woofilters\controller.php:122
unserialize$settings = unserialize( $filter['setting_data'] );modules\woofilters\mod.php:1062
unserialize$filtersSettings = unserialize( $filter['setting_data'] );modules\woofilters\mod.php:1543
unserialize$settings = unserialize($filter['setting_data']);modules\woofilters\models\settings.php:30
unserialize$settings = unserialize($duplicateData['setting_data']);modules\woofilters\models\woofilters.php:293
unserialize$settings = unserialize($filter['setting_data']);modules\woofilters\models\woofilters.php:461
unserialize$settings = unserialize($filter['setting_data']);modules\woofilters\views\woofilters.php:136
unserialize$settings = unserialize($filter['setting_data'])['settings'];modules\woofilters\views\woofilters.php:3463
unserialize$filtersSettings[ $filter['id'] ] = unserialize($filter['setting_data']);modules\woofilters_widget\elementor\woofilters.php:101
unserialize$filtersSettings[ $filter['id'] ] = unserialize($filter['setting_data']);modules\woofilters_widget\mod.php:79

Bundled Libraries

jQuery

SQL Query Safety

47% prepared15 total queries

Output Escaping

89% escaped1007 total outputs
Attack Surface

Product Filter for WooCommerce by WBW Attack Surface

Entry Points0
Unprotected0
WordPress Hooks 107
actionadmin_noticesclasses\errors.php:48
filterthe_contentclasses\errors.php:50
actioninitclasses\frame.php:205
actionafter_plugin_row_woofilter-pro/woofilter-pro.phpclasses\frame.php:206
filterthe_contentclasses\frame.php:207
actioninitclasses\frame.php:399
filteresc_htmlclasses\html.php:7
actionactivated_pluginclasses\modInstaller.php:167
filtersanitize_text_fieldclasses\req.php:8
actionactivated_pluginclasses\utils.php:332
actionadmin_noticesfunctions.php:327
actionadmin_initfunctions.php:357
actionadmin_menumodules\adminmenu\mod.php:7
actionwoocommerce_update_productmodules\meta\mod.php:27
actionacf/save_postmodules\meta\mod.php:28
actionwoocommerce_product_set_stock_statusmodules\meta\mod.php:29
actionwoocommerce_variation_set_stock_statusmodules\meta\mod.php:30
actionwpf_calc_meta_indexingmodules\meta\mod.php:31
actionwpf_calc_meta_indexing_shedulemodules\meta\mod.php:32
actionwpf_calc_meta_optimizing_shedulemodules\meta\mod.php:33
filterwoocommerce_product_csv_importer_stepsmodules\meta\mod.php:35
actioninitmodules\options\mod.php:33
actioninitmodules\options\mod.php:34
filterhttp_api_curlmodules\overview\models\overview.php:166
actionadmin_enqueue_scriptsmodules\templates\mod.php:70
actioninitmodules\templates\mod.php:71
filterloop_shop_columnsmodules\woofilters\controller.php:218
filterpost_classmodules\woofilters\controller.php:225
filterwoocommerce_loop_add_to_cart_linkmodules\woofilters\controller.php:226
filterprimer_wc_pagination_argsmodules\woofilters\controller.php:463
filterposts_clausesmodules\woofilters\controller.php:798
filterposts_clausesmodules\woofilters\controller.php:801
actionadmin_noticesmodules\woofilters\mod.php:57
actionwp_enqueue_scriptsmodules\woofilters\mod.php:60
filteryith_wapo_disable_jqueryuimodules\woofilters\mod.php:62
filterwoocommerce_redirect_single_search_resultmodules\woofilters\mod.php:66
actionwoocommerce_product_querymodules\woofilters\mod.php:77
filterquery_loop_block_query_varsmodules\woofilters\mod.php:80
actionwoocommerce_shortcode_products_querymodules\woofilters\mod.php:82
filterfl_builder_loop_query_argsmodules\woofilters\mod.php:85
filterfl_builder_loop_querymodules\woofilters\mod.php:91
filteruael_woo_product_query_argsmodules\woofilters\mod.php:102
actionwoocommerce_shortcode_before_products_loopmodules\woofilters\mod.php:107
actionwoocommerce_shortcode_before_sale_products_loopmodules\woofilters\mod.php:108
actionpre_get_postsmodules\woofilters\mod.php:114
filterloop_shop_per_pagemodules\woofilters\mod.php:121
filterpost_classmodules\woofilters\mod.php:125
filteryith_woocompare_actions_to_check_frontendmodules\woofilters\mod.php:126
actionwp_loadedmodules\woofilters\mod.php:128
filterwoocommerce_shortcode_products_query_resultsmodules\woofilters\mod.php:139
actionelementor/widget/before_render_contentmodules\woofilters\mod.php:140
actionwoocommerce_is_filteredmodules\woofilters\mod.php:141
actionshortcode_atts_productsmodules\woofilters\mod.php:142
filterdb_archive_module_argsmodules\woofilters\mod.php:146
filterfusion_post_cards_shortcode_query_argsmodules\woofilters\mod.php:152
filterfusion_woo_product_grid_query_argsmodules\woofilters\mod.php:153
actionpre_get_postsmodules\woofilters\mod.php:159
filterwoocommerce_blocks_product_grid_is_cacheablemodules\woofilters\mod.php:160
actionelementor/frontend/before_rendermodules\woofilters\mod.php:165
filterelementor/widget/render_contentmodules\woofilters\mod.php:166
filterwoocommerce_product_object_query_argsmodules\woofilters\mod.php:168
filterwoolementor-product_query_paramsmodules\woofilters\mod.php:171
filteraws_search_results_products_idsmodules\woofilters\mod.php:174
filteraws_search_page_filtersmodules\woofilters\mod.php:175
filterqi_addons_for_elementor_filter_query_paramsmodules\woofilters\mod.php:186
filterdipl_woo_products_argsmodules\woofilters\mod.php:189
filterpre_do_shortcode_tagmodules\woofilters\mod.php:191
filteravia_product_slide_querymodules\woofilters\mod.php:203
filterbricks/posts/query_varsmodules\woofilters\mod.php:206
filterjet-woo-builder/shortcodes/jet-woo-products/final-query-argsmodules\woofilters\mod.php:209
actionwp_robotsmodules\woofilters\mod.php:213
filterwpf_addFilterExistsItemsArgsmodules\woofilters\mod.php:303
actionpre_get_postsmodules\woofilters\mod.php:331
actionpre_get_postsmodules\woofilters\mod.php:337
filterposts_clauses_requestmodules\woofilters\mod.php:783
actionthe_widgetmodules\woofilters\mod.php:1477
filterposts_clausesmodules\woofilters\mod.php:1580
filterposts_clausesmodules\woofilters\mod.php:1592
filterposts_clausesmodules\woofilters\mod.php:1595
filterposts_clausesmodules\woofilters\mod.php:1598
filterposts_clausesmodules\woofilters\mod.php:1601
filterposts_clausesmodules\woofilters\mod.php:1604
filterposts_clausesmodules\woofilters\mod.php:1607
filterposts_clausesmodules\woofilters\mod.php:1610
filterposts_clausesmodules\woofilters\mod.php:1613
filterposts_clausesmodules\woofilters\mod.php:1616
filterwoocommerce_product_loop_startmodules\woofilters\mod.php:1669
filterterm_linkmodules\woofilters\mod.php:1709
filterposts_clausesmodules\woofilters\mod.php:2107
filterposts_clausesmodules\woofilters\mod.php:2110
filterposts_clausesmodules\woofilters\mod.php:2113
filterposts_clausesmodules\woofilters\mod.php:2116
filterposts_clausesmodules\woofilters\mod.php:2119
filterposts_clausesmodules\woofilters\mod.php:2122
filterposts_clausesmodules\woofilters\mod.php:2125
filterposts_clausesmodules\woofilters\mod.php:2128
filterposts_clausesmodules\woofilters\mod.php:2131
filterposts_clausesmodules\woofilters\mod.php:2134
filterposts_wheremodules\woofilters\mod.php:2953
filterpre_do_shortcode_tagmodules\woofilters\mod.php:4857
filterwoocommerce_change_term_countsmodules\woofilters\views\woofilters.php:1335
filterterms_clausesmodules\woofilters\views\woofilters.php:2477
filterraw_woocommerce_pricemodules\woofilters\views\woofilters.php:3189
actionwidgets_initmodules\woofilters_widget\mod.php:5
actionelementor/widgets/registermodules\woofilters_widget\mod.php:7
actionelementor/editor/before_enqueue_scriptsmodules\woofilters_widget\mod.php:10
actionbefore_woocommerce_initwoo-product-filter.php:28

Scheduled Events 5

wpf_calc_meta_indexing
wpf_calc_meta_indexing
wpf_calc_meta_indexing
wpf_calc_meta_indexing_shedule
wpf_calc_meta_optimizing_shedule
Maintenance & Trust

Product Filter for WooCommerce by WBW Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 10, 2026
PHP min version
Downloads2.7M

Community Trust

Rating96/100
Number of ratings320
Active installs60K
Alternatives

Product Filter for WooCommerce by WBW Alternatives

YITH WooCommerce Ajax Product Filter

YITH WooCommerce Ajax Product Filter

yith-woocommerce-ajax-navigation

A
97

YITH WooCommerce Ajax Product Filter offers you the perfect way to filter all products of your WooCommerce shop.

80K 3 CVEs
Dynamic AJAX Product Filters for WooCommerce

Dynamic AJAX Product Filters for WooCommerce

dynamic-ajax-product-filters-for-woocommerce

A
98

Dynamic AJAX Product Filters allow shoppers to quickly filter WooCommerce products by categories, attributes, prices, and more.

700 2 CVEs
Filter Everything&nbsp;— Product Filter & WordPress Filter

Filter Everything&nbsp;— Product Filter & WordPress Filter

filter-everything

A
100

The most universal filters plugin for WordPress and WooCommerce products.

50K No CVEs
annasta Filters for WooCommerce

annasta Filters for WooCommerce

annasta-woocommerce-product-filters

A
100

All-in-one products search and filtering solution for your WooCommerce shop with rich features and customization options.

2K No CVEs
Premmerce Product Filter for WooCommerce

Premmerce Product Filter for WooCommerce

premmerce-woocommerce-product-filter

A
98

The Premmerce Product Filter for WooCommerce plugin is a professional tool for managing filters with perfect Ajax and unique SEO features.

2K 2 CVEs
Developer Profile

Product Filter for WooCommerce by WBW Developer Profile

WBW Plugins

3 plugins · 66K total installs

75
trust score
Avg Security Score
94/100
Avg Patch Time
169 days
View full developer profile
Detection Fingerprints

How We Detect Product Filter for WooCommerce by WBW

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/woo-product-filter/assets/css/admin.css/wp-content/plugins/woo-product-filter/assets/css/front.css/wp-content/plugins/woo-product-filter/assets/css/jquery-ui.css/wp-content/plugins/woo-product-filter/assets/css/materialize.min.css/wp-content/plugins/woo-product-filter/assets/css/owl.carousel.css/wp-content/plugins/woo-product-filter/assets/css/select2.css/wp-content/plugins/woo-product-filter/assets/css/style.css/wp-content/plugins/woo-product-filter/assets/js/admin.js+4 more
Script Paths
/wp-content/plugins/woo-product-filter/assets/js/front.js/wp-content/plugins/woo-product-filter/assets/js/admin.js
Version Parameters
woo-product-filter/assets/css/admin.css?ver=woo-product-filter/assets/css/front.css?ver=woo-product-filter/assets/css/jquery-ui.css?ver=woo-product-filter/assets/css/materialize.min.css?ver=woo-product-filter/assets/css/owl.carousel.css?ver=woo-product-filter/assets/css/select2.css?ver=woo-product-filter/assets/css/style.css?ver=woo-product-filter/assets/js/admin.js?ver=woo-product-filter/assets/js/front.js?ver=woo-product-filter/assets/js/jquery-ui.js?ver=woo-product-filter/assets/js/owl.carousel.js?ver=woo-product-filter/assets/js/select2.js?ver=

HTML / DOM Fingerprints

CSS Classes
wpf_filter_warperwpf_products_wrapper
HTML Comments
<!-- Product Filter by WBW -->
Data Attributes
data-plugin-name="woo-product-filter"
JS Globals
wpf_data
Shortcode Output
[woofilter]
FAQ

Frequently Asked Questions about Product Filter for WooCommerce by WBW