The Product Filter for WooCommerce by WBW plugin prior to version 3.1.3 contains a SQL injection vulnerability (CWE-89) due to improper sanitization and escaping of user-supplied input used in SQL statements. This flaw enables unauthenticated attackers to inject malicious SQL commands, potentially compromising the underlying database. The vulnerability was publicly disclosed on April 13, 2026, but no CVSS score or official remediation details have been provided. The plugin is not a cloud service, so remediation depends on patching the plugin itself.

Successful exploitation of this vulnerability could allow an unauthenticated attacker to execute arbitrary SQL commands on the affected WordPress site's database. This may lead to unauthorized data access, data modification, or other impacts typical of SQL injection vulnerabilities. However, no known exploits have been reported in the wild, and the exact impact depends on the database and site configuration.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should consider disabling or restricting access to the vulnerable plugin functionality to reduce risk. Monitor the vendor's channels for updates and apply any available patches promptly once released.