SQL Injection Vulnerability in WooCommerce Ajax Product Filter Plugin by WordPress
CVE-2026-3396

7.5HIGH

Key Information:

Vendor: Shamimmoeen
Status: Wcapf – Ajax Product Filter For WooCommerce
Vendor: CVE Published:; 8 April 2026

🔔 Create Shamimmoeen Vulnerability Alert

What is CVE-2026-3396?

The WooCommerce Ajax Product Filter plugin for WordPress contains a vulnerability due to improper escaping of user input in the 'post-author' parameter. This flaw enables unauthenticated attackers to execute time-based SQL injection attacks, allowing them to manipulate existing SQL queries and potentially retrieve sensitive information from the database. All versions up to and including 4.2.3 are susceptible to this security issue, highlighting the need for immediate updates and robust security measures to protect user data.

Affected Version(s)

WCAPF – Ajax Product Filter for WooCommerce 0 <= 4.2.3

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/wc-ajax-produc...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 8, 2026
Vulnerability Reserved
Feb 28, 2026

Credit

Youssef Elouaer

CVE-2026-3396 Data

JSON