Unauthorized Data Loss in WooCommerce Product Filter Plugin by WBW

CVE-2026-3138

What is CVE-2026-3138?

The Product Filter for WooCommerce by WBW is susceptible to unauthorized data loss due to a failure in implementing capability checks. This affects all versions up to and including 3.1.2. The plugin's reliance on an MVC framework allows unauthenticated AJAX handlers to be registered without verification of user capabilities. Specifically, the use of wp_ajax_nopriv_ hooks, coupled with the base controller's __call() magic method, enables attackers to trigger undefined method calls. Furthermore, the havePermissions() method defaults to true when no permissions are defined, creating a loophole for attackers to manipulate the plugin's wp_wpf_filters database table, resulting in complete loss of filter configurations via malicious AJAX calls with action=delete.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch →

References