WCAPF – WooCommerce Ajax Product Filter

7.5 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Description

WCAPF – WooCommerce Ajax Product Filter plugin is vulnerable to time-based SQL Injection via the 'post-author' parameter in all versions up to, and including, 4.2.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

Basic Information

ID CVE-2026-3396

Source Wordfence

Published Apr 8, 2026 at 11:16

Modified Apr 8, 2026 at 17:53

Affected Product

Vendor shamimmoeen

Product WCAPF – Ajax Product Filter for WooCommerce

Affected Versions shamimmoeen WCAPF – Ajax Product Filter for WooCommerce 0

CWE Classification

CWE-89

References

{
    "lastseen": "",
    "description": "WCAPF \u2013 WooCommerce Ajax Product Filter plugin is vulnerable to time-based SQL Injection via the 'post-author' parameter in all versions up to, and including, 4.2.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.",
    "published": "2026-04-08T11:16:58.886Z",
    "modified": "2026-04-08T17:53:21.100Z",
    "type": "cve",
    "title": "WCAPF \u2013 WooCommerce Ajax Product Filter <= 4.2.3 - Unauthenticated Time-Based SQL Injection",
    "source": "Wordfence",
    "references": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ee0a762e-9159-4dab-a7be-9cbe332effb1?source=cve\nhttps://plugins.trac.wordpress.org/browser/wc-ajax-product-filter/trunk/includes/class-wcapf-product-filter.php#L739\nhttps://plugins.trac.wordpress.org/browser/wc-ajax-product-filter/trunk/includes/class-wcapf-product-filter.php#L689\nhttps://plugins.trac.wordpress.org/browser/wc-ajax-product-filter/trunk/includes/class-wcapf-product-filter.php#L81\nhttps://plugins.trac.wordpress.org/browser/wc-ajax-product-filter/trunk/includes/class-wcapf-product-filter.php#L65\nhttps://plugins.trac.wordpress.org/changeset/3484080/",
    "id": "CVE-2026-3396",
    "bulletinFamily": "",
    "cwe": [
        "CWE-89"
    ],
    "cvelist": null,
    "sourceData": "shamimmoeen WCAPF \u2013 Ajax Product Filter for WooCommerce 0",
    "sourceHref": "",
    "cvss": {
        "score": 7.5,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "WCAPF \u2013 Ajax Product Filter for WooCommerce",
    "version": "0",
    "vendor": "shamimmoeen",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

WCAPF – WooCommerce Ajax Product Filter <= 4.2.3 - Unauthenticated Time-Based SQL Injection_CVE-2026-3396