CVE-2026-3138: CWE-862 Missing Authorization in woobewoo Product Filter for WooCommerce by WBW
The Product Filter for WooCommerce by WBW plugin for WordPress is vulnerable to unauthorized data loss due to a missing capability check in all versions up to, and including, 3.1.2. This is due to the plugin's MVC framework dynamically registering unauthenticated AJAX handlers via `wp_ajax_nopriv_` hooks without verifying user capabilities, combined with the base controller's `__call()` magic method forwarding undefined method calls to the model layer, and the `havePermissions()` method defaulting to `true` when no permissions are explicitly defined. This makes it possible for unauthenticated attackers to truncate the plugin's `wp_wpf_filters` database table via a crafted AJAX request with `action=delete`, permanently destroying all filter configurations.
AI Analysis
Technical Summary
CVE-2026-3138 is a missing authorization vulnerability (CWE-862) in the Product Filter for WooCommerce by WBW WordPress plugin. The plugin's MVC framework registers unauthenticated AJAX handlers via wp_ajax_nopriv_ hooks without capability checks. The base controller's __call() magic method forwards undefined method calls to the model layer, and the havePermissions() method defaults to true when no explicit permissions are set. This combination allows unauthenticated attackers to issue an AJAX request with action=delete that truncates the wp_wpf_filters database table, causing permanent deletion of all filter configurations. The vulnerability affects all versions up to and including 3.1.2.
Potential Impact
An unauthenticated attacker can permanently delete all filter configurations stored in the plugin's wp_wpf_filters database table by exploiting the missing authorization check. This results in data loss impacting the availability and integrity of the filter configurations used by the WooCommerce store. There is no indication of confidentiality impact. No known exploits in the wild have been reported.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict access to the affected plugin's AJAX endpoints if possible, and monitor for suspicious AJAX requests with action=delete. Avoid using the affected plugin versions in production environments where possible.
CVE-2026-3138: CWE-862 Missing Authorization in woobewoo Product Filter for WooCommerce by WBW
Description
The Product Filter for WooCommerce by WBW plugin for WordPress is vulnerable to unauthorized data loss due to a missing capability check in all versions up to, and including, 3.1.2. This is due to the plugin's MVC framework dynamically registering unauthenticated AJAX handlers via `wp_ajax_nopriv_` hooks without verifying user capabilities, combined with the base controller's `__call()` magic method forwarding undefined method calls to the model layer, and the `havePermissions()` method defaulting to `true` when no permissions are explicitly defined. This makes it possible for unauthenticated attackers to truncate the plugin's `wp_wpf_filters` database table via a crafted AJAX request with `action=delete`, permanently destroying all filter configurations.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-3138 is a missing authorization vulnerability (CWE-862) in the Product Filter for WooCommerce by WBW WordPress plugin. The plugin's MVC framework registers unauthenticated AJAX handlers via wp_ajax_nopriv_ hooks without capability checks. The base controller's __call() magic method forwards undefined method calls to the model layer, and the havePermissions() method defaults to true when no explicit permissions are set. This combination allows unauthenticated attackers to issue an AJAX request with action=delete that truncates the wp_wpf_filters database table, causing permanent deletion of all filter configurations. The vulnerability affects all versions up to and including 3.1.2.
Potential Impact
An unauthenticated attacker can permanently delete all filter configurations stored in the plugin's wp_wpf_filters database table by exploiting the missing authorization check. This results in data loss impacting the availability and integrity of the filter configurations used by the WooCommerce store. There is no indication of confidentiality impact. No known exploits in the wild have been reported.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict access to the affected plugin's AJAX endpoints if possible, and monitor for suspicious AJAX requests with action=delete. Avoid using the affected plugin versions in production environments where possible.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2026-02-24T17:37:54.106Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 69c2b1b4f4197a8e3b48d1f1
Added to database: 3/24/2026, 3:45:56 PM
Last enriched: 4/9/2026, 10:07:09 PM
Last updated: 5/8/2026, 12:03:53 PM
Views: 104
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.