CVE-2026-3138 in woobewoo Product Filter for WooCommerce by WBW Plugin情報

要約 (英語)

The Product Filter for WooCommerce by WBW plugin for WordPress is vulnerable to unauthorized data loss due to a missing capability check in all versions up to, and including, 3.1.2. This is due to the plugin's MVC framework dynamically registering unauthenticated AJAX handlers via `wp_ajax_nopriv_` hooks without verifying user capabilities, combined with the base controller's `__call()` magic method forwarding undefined method calls to the model layer, and the `havePermissions()` method defaulting to `true` when no permissions are explicitly defined. This makes it possible for unauthenticated attackers to truncate the plugin's `wp_wpf_filters` database table via a crafted AJAX request with `action=delete`, permanently destroying all filter configurations.

責任者

Wordfence

予約する

2026年02月24日

公開

2026年03月24日

エントリ

VulDB provides additional information and datapoints for this CVE:

識別子脆弱性CWE悪用可対策CVE
352663woobewoo Product Filter for WooCommerce by WBW Plugin AJAX 特権昇格862未定義公式な修正CVE-2026-3138

説明

CPE

CWE

CVSS

エクスプロイト

履歴

差分

リンクする

脅威インテリジェンス

API JSON

API XML

API CSV

概要

Want to know what is going to be exploited?

We predict KEV entries!