What the vulnerability does
01Description
The Product Filter for WooCommerce by WBW plugin for WordPress is vulnerable to unauthorized data loss due to a missing capability check in all versions up to, and including, 3.1.2. This is due to the plugin's MVC framework dynamically registering unauthenticated AJAX handlers via `wp_ajax_nopriv_` hooks without verifying user capabilities, combined with the base controller's `__call()` magic method forwarding undefined method calls to the model layer, and the `havePermissions()` method defaulting to `true` when no permissions are explicitly defined. This makes it possible for unauthenticated attackers to truncate the plugin's `wp_wpf_filters` database table via a crafted AJAX request with `action=delete`, permanently destroying all filter configurations.
Explanation of Vulnerability in Simple Terms
02Summary
Product Filter for WooCommerce by WBW versions 3.1.2 and earlier lack proper authorization checks. An attacker can modify product filter data without authentication, potentially altering how products are displayed or filtered on the site. This affects data integrity but does not expose sensitive information.
What an attacker can do
03Attacker Capabilities
Modify product filter settings and data without logging in.
Potential impact on your site
04Site Impact
Product filters may display incorrectly or be altered by unauthorized users, affecting customer experience.
Conditions required to exploit
05Prerequisites
Network access to the site; no authentication or user interaction required.
Key dates
06Disclosure timeline
March 24, 2026
CVE published
April 8, 2026
Record updated
