[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f8LZKwu6_wWctsZudWYVsO5rjaZmJJ28kKVXsdexX3IA":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-3830","product-filter-for-woocommerce-by-wbw-unauthenticated-sql-injection","Product Filter for WooCommerce by WBW \u003C 3.1.3 - Unauthenticated SQL Injection","The Product Filter for WooCommerce by WBW plugin for WordPress is vulnerable to SQL Injection in versions up to 3.1.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.","woo-product-filter",null,"\u003C3.1.3","3.1.3","high",7.5,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:H\u002FI:N\u002FA:N","Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","2026-03-23 00:00:00","2026-05-05 14:53:01",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F1057b1ee-9bcb-4b3b-bbc0-3262e658bb97?source=api-prod",44,[22,23,24,25,26,27,28,29],"changelog.txt","classes\u002Fcontroller.php","classes\u002Fframe.php","classes\u002FmodInstaller.php","config.php","modules\u002Fmeta\u002Fcontroller.php","modules\u002Fwoofilters\u002Fcontroller.php","modules\u002Fwoofilters\u002Fjs\u002Ffrontend.woofilters.js","researched",false,3,"This analysis targets an unauthenticated SQL injection vulnerability in the **Product Filter for WooCommerce by WBW** plugin (version \u003C 3.1.3). The vulnerability stems from improper sanitization and lack of query preparation when processing filter parameters in the frontend AJAX request.\n\n### 1. Vulnerability Summary\nThe vulnerability exists in the `WoofiltersControllerWpf` class within the `modules\u002Fwoofilters\u002Fcontroller.php` file. Specifically, the `filtersFrontend()` method processes user-supplied JSON data from the `filtersDataBackend` and `queryvars` parameters. This data is passed into SQL-building functions that utilize the `_prepareTextLikeSearch()` method, which performs direct string concatenation of user input into a SQL `LIKE` clause without using `$wpdb->prepare()` or sufficient escaping.\n\n### 2. Attack Vector Analysis\n- **Endpoint**: `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Action**: `wpf_ajax`\n- **Query Parameters**: `pl=wpf`, `mod=woofilters`, `task=filtersFrontend`\n- **POST Parameters**: \n    - `filtersDataBackend`: A JSON-encoded array containing filter configurations.\n    - `queryvars`: A JSON-encoded object containing WooCommerce query arguments.\n- **Authentication**: None required (Unauthenticated).\n- **Preconditions**: At least one product must exist in WooCommerce for the filter logic to execute its database queries.\n\n### 3. Code Flow\n1. **Entry**: A request is sent to `admin-ajax.php` with `action=wpf_ajax`.\n2. **Routing**: `FrameWpf::parseRoute()` (in `classes\u002Fframe.php`) extracts `mod=woofilters` and `task=filtersFrontend`.\n3. **Execution**: `FrameWpf::exec()` calls `WoofiltersControllerWpf::filtersFrontend()`.\n4. **Processing**: `filtersFrontend()` decodes the `filtersDataBackend` JSON.\n5. **Vulnerable Sink**: The controller logic (via `createArgsForFiltering`) processes search-type filters using `_prepareTextLikeSearch($val)` (line 15 of `modules\u002Fwoofilters\u002Fcontroller.php`):\n   ```php\n   protected function _prepareTextLikeSearch( $val ) {\n       $query = '(title LIKE \"%' . $val . '%\"'; \u002F\u002F \u003C--- SQL INJECTION POINT\n       if ( is_numeric($val) ) {\n           $query .= ' OR id LIKE \"%' . (int) $val . '%\"';\n       }\n       $query .= ')';\n       return $query;\n   }\n   ```\n6. **Query Execution**: The resulting unescaped string is added to the model's `WHERE` clause via `$model->addWhere(array('additionalCondition' => $query))` and executed against the database.\n\n### 4. Nonce Acquisition Strategy\nWhile `filtersFrontend` does not strictly enforce a nonce check (making it unauthenticated), the plugin often localizes a nonce for other frontend features. If an environment requires a nonce for all `wpf_ajax` actions, use the following:\n\n1. **Shortcode**: The plugin uses `[wpf-filters id=...]`.\n2. **Setup**: Create a filter and a page containing its shortcode.\n   ```bash\n   wp post create --post_type=wpf_filters --post_title=\"Exploit Filter\" --post_status=publish\n   # Note the ID of the new post (e.g., 123)\n   wp post create --post_type=page --post_title=\"Filter Page\" --post_content=\"[wpf-filters id=123]\" --post_status=publish\n   ```\n3. **Extraction**: Use `browser_navigate` to the new page and `browser_eval` to extract the localized settings:\n   ```javascript\n   \u002F\u002F WBW typically localizes data into a variable named after the plugin\u002Fmodule\n   \u002F\u002F Look for 'wpfNonce' in the localized object\n   window.wpfFrontendPage?.nonce || window.wpfMainWrapper?.wpfNonce\n   ```\n\n### 5. Exploitation Strategy\nWe will use a time-based blind SQL injection payload within the `filtersDataBackend` JSON structure, targeting the search filter logic.\n\n**HTTP Request (via `http_","The Product Filter for WooCommerce by WBW plugin is vulnerable to unauthenticated SQL injection due to the improper concatenation of user-supplied data into SQL queries. Attackers can exploit this via the filtersFrontend AJAX action to extract sensitive database information or perform time-based blind attacks.","\u002F\u002F modules\u002Fwoofilters\u002Fcontroller.php around line 15\nprotected function _prepareTextLikeSearch( $val ) {\n    $query = '(title LIKE \"%' . $val . '%\"';\n    if ( is_numeric($val) ) {\n        $query .= ' OR id LIKE \"%' . (int) $val . '%\"';\n    }\n    $query .= ')';\n    return $query;\n}","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwoo-product-filter\u002F3.1.2\u002Fclasses\u002Fframe.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwoo-product-filter\u002F3.1.3\u002Fclasses\u002Fframe.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwoo-product-filter\u002F3.1.2\u002Fclasses\u002Fframe.php\t2025-11-28 17:20:46.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwoo-product-filter\u002F3.1.3\u002Fclasses\u002Fframe.php\t2026-03-20 11:01:42.000000000 +0000\n@@ -406,14 +408,19 @@\n \n \t\u002F**\n \t * _doExec.\n+\t *\n+\t * @version 3.1.3\n \t *\u002F\n \tprotected function _doExec() {\n \t\t$mod = $this->getModule($this->_mod);\n \t\tif ($mod && $this->checkPermissions($this->_mod, $this->_action)) {\n \t\t\tswitch (ReqWpf::getVar('reqType')) {\n \t\t\t\tcase 'ajax':\n-\t\t\t\t\tadd_action('wp_ajax_'        . $this->_action, array($mod->getController(), $this->_action));\n-\t\t\t\t\tadd_action('wp_ajax_nopriv_' . $this->_action, array($mod->getController(), $this->_action));\n+\t\t\t\t\tadd_action('wp_ajax_' . $this->_action, array($mod->getController(), $this->_action));\n+\t\t\t\t\t$noprivActions = array( 'filtersFrontend', 'getTaxonomyTerms' );\n+\t\t\t\t\tif ( in_array( $this->_action, $noprivActions ) ) {\n+\t\t\t\t\t\tadd_action('wp_ajax_nopriv_' . $this->_action, array($mod->getController(), $this->_action));\n+\t\t\t\t\t}\n \t\t\t\t\tbreak;\n \t\t\t\tdefault:\n \t\t\t\t\t$this->_res = $mod->exec($this->_action);","The exploit targets the unauthenticated AJAX endpoint 'wpf_ajax' with the 'filtersFrontend' task. An attacker sends a POST request to '\u002Fwp-admin\u002Fadmin-ajax.php' with the parameter 'pl=wpf', 'mod=woofilters', and 'task=filtersFrontend'. The payload is embedded within the 'filtersDataBackend' JSON parameter, specifically within a search-type filter value. Because the plugin concatenates this value directly into a LIKE clause in the '_prepareTextLikeSearch' method without using $wpdb->prepare() or escaping, an attacker can use a payload like '\") OR SLEEP(5)-- -' to trigger a time-based blind SQL injection.","gemini-3-flash-preview","2026-04-27 14:44:57","2026-04-27 14:45:47",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","3.1.2","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwoo-product-filter\u002Ftags\u002F3.1.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwoo-product-filter.3.1.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwoo-product-filter\u002Ftags\u002F3.1.3","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwoo-product-filter.3.1.3.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwoo-product-filter\u002Ftags"]