SQL Injection Vulnerability in Product Filter by WBW for WordPress
CVE-2025-2317

7.5HIGH

Key Information:

Vendor: WordPress
Status: Product Filter By Wbw
Vendor: CVE Published:; 4 April 2025

What is CVE-2025-2317?

The Product Filter by WBW plugin for WordPress is susceptible to time-based SQL Injection through the filtersDataBackend parameter, affecting all versions up to 2.7.9. The vulnerability arises from inadequate parameter escaping and insufficient preparation in the SQL query, allowing unauthenticated attackers to inject malicious SQL commands. This exploit can lead to unauthorized extraction of sensitive database information, compromising site integrity and security.

Affected Version(s)

Product Filter by WBW * <= 2.7.9

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/woo-product-fi...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 4, 2025
Vulnerability Reserved
Mar 14, 2025

Credit

Trương Hữu Phúc (truonghuuphuc)