CVE-2026-3138 is a vulnerability classified under CWE-862 (Missing Authorization) found in the Product Filter for WooCommerce by WBW plugin for WordPress, affecting all versions up to and including 3.1.2. The root cause is the plugin's MVC framework registering unauthenticated AJAX handlers using the `wp_ajax_nopriv_` hooks without performing proper capability checks. Specifically, the base controller uses a `__call()` magic method that forwards undefined method calls to the model layer, and the `havePermissions()` method defaults to true if no explicit permissions are set. This combination allows unauthenticated attackers to invoke an AJAX action named `delete` that truncates the `wp_wpf_filters` database table, which stores all filter configurations. The truncation results in permanent data loss of filter settings, severely impacting the plugin's functionality. The vulnerability has a CVSS 3.1 base score of 6.5, reflecting its network attack vector, low attack complexity, no privileges required, no user interaction, and impact on integrity and availability but not confidentiality. No patches or exploits are currently known, but the risk remains significant due to the ease of exploitation and the critical role of filter configurations in WooCommerce stores.

The primary impact of this vulnerability is the permanent loss of all product filter configurations stored in the `wp_wpf_filters` database table. For WooCommerce stores relying on this plugin, this can degrade user experience by removing filtering capabilities, potentially reducing sales and customer satisfaction. The integrity of the e-commerce site’s data is compromised as attackers can delete critical configuration data without authentication. Availability is also affected since the filtering functionality may become unusable until filters are manually recreated or restored from backups. Although confidentiality is not impacted, the disruption to business operations can be significant, especially for stores with complex or customized filter setups. The ease of exploitation and lack of authentication requirements mean that attackers can remotely trigger this damage at scale, potentially targeting multiple vulnerable sites. This could lead to reputational damage and increased operational costs for recovery. Organizations using this plugin should consider the risk of automated attacks and the potential for widespread disruption in the WooCommerce ecosystem.

1. Immediately update the Product Filter for WooCommerce by WBW plugin to a version that addresses this vulnerability once available. 2. If no official patch exists, implement custom server-side access controls to restrict AJAX requests to authenticated and authorized users only, for example by hooking into WordPress capability checks before processing AJAX actions. 3. Disable or restrict the `wp_ajax_nopriv_` hooks related to this plugin to prevent unauthenticated access. 4. Regularly back up the WordPress database, especially the `wp_wpf_filters` table, to enable quick restoration in case of data loss. 5. Monitor web server and WordPress logs for suspicious AJAX requests with the `action=delete` parameter targeting this plugin. 6. Employ Web Application Firewalls (WAFs) with custom rules to block unauthorized AJAX calls to the plugin endpoints. 7. Conduct security audits of other plugins to ensure proper authorization checks are in place, preventing similar vulnerabilities. 8. Educate site administrators on the risks of installing plugins without proper security reviews and encourage minimal plugin usage to reduce attack surface.