{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3830", "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "state": "PUBLISHED", "assignerShortName": "WPScan", "dateReserved": "2026-03-09T12:31:36.985Z", "datePublished": "2026-04-13T06:00:13.287Z", "dateUpdated": "2026-04-13T12:56:39.504Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "shortName": "WPScan", "dateUpdated": "2026-04-13T06:00:13.287Z"}, "title": "Product Filter for WooCommerce by WBW < 3.1.3 - Unauthenticated SQLi", "problemTypes": [{"descriptions": [{"description": "CWE-89 SQL Injection", "lang": "en", "type": "CWE"}]}], "affected": [{"vendor": "Unknown", "product": "Product Filter for WooCommerce by WBW", "versions": [{"status": "affected", "versionType": "semver", "version": "0", "lessThan": "3.1.3"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Product Filter for WooCommerce by WBW WordPress plugin before 3.1.3 does not sanitize and escape a parameter before using it in a SQL statement, allowing unauthenticated users to perform SQL injection attacks"}], "references": [{"url": "https://wpscan.com/vulnerability/768014fd-0403-4182-b19e-3d46c92d8755/", "tags": ["exploit", "vdb-entry", "technical-description"]}], "credits": [{"lang": "en", "value": "mcdruid", "type": "finder"}, {"lang": "en", "value": "WPScan", "type": "coordinator"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "WPScan CVE Generator"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-89", "lang": "en", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-13T12:56:36.941075Z", "id": "CVE-2026-3830", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T12:56:39.504Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-3830", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-13T12:56:36.941075Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T12:56:29.855Z"}}], "cna": {"title": "Product Filter for WooCommerce by WBW < 3.1.3 - Unauthenticated SQLi", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "mcdruid"}, {"lang": "en", "type": "coordinator", "value": "WPScan"}], "affected": [{"vendor": "Unknown", "product": "Product Filter for WooCommerce by WBW", "versions": [{"status": "affected", "version": "0", "lessThan": "3.1.3", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://wpscan.com/vulnerability/768014fd-0403-4182-b19e-3d46c92d8755/", "tags": ["exploit", "vdb-entry", "technical-description"]}], "x_generator": {"engine": "WPScan CVE Generator"}, "descriptions": [{"lang": "en", "value": "The Product Filter for WooCommerce by WBW WordPress plugin before 3.1.3 does not sanitize and escape a parameter before using it in a SQL statement, allowing unauthenticated users to perform SQL injection attacks"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "description": "CWE-89 SQL Injection"}]}], "providerMetadata": {"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "shortName": "WPScan", "dateUpdated": "2026-04-13T06:00:13.287Z"}}}, "cveMetadata": {"cveId": "CVE-2026-3830", "state": "PUBLISHED", "dateUpdated": "2026-04-13T12:56:39.504Z", "dateReserved": "2026-03-09T12:31:36.985Z", "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "datePublished": "2026-04-13T06:00:13.287Z", "assignerShortName": "WPScan"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Product Filter for WooCommerce by WBW WordPress plugin before 3.1.3 does not sanitize and escape a parameter before using it in a SQL statement, allowing unauthenticated users to perform SQL injection attacks"}], "id": "CVE-2026-3830", "lastModified": "2026-04-13T15:01:43.663", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.0, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-13T07:16:50.270", "references": [{"source": "contact@wpscan.com", "url": "https://wpscan.com/vulnerability/768014fd-0403-4182-b19e-3d46c92d8755/"}], "sourceIdentifier": "contact@wpscan.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.1.3)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "Product Filter for WooCommerce by WBW", "source": "cna", "vendor": "Unknown"}, "product": "product_filter_for_woocommerce", "vendor": "wbw"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-13T08:23:39.436672+00:00", "value": {"mitigation_remediation": ["Update the Product Filter for WooCommerce plugin to version 3.1.3 or later.", "If immediate update is not possible, restrict public access to the affected parameter until a patch is applied.", "Implement a web application firewall to detect and block suspicious SQL injection attempts.", "Review database logs for signs of unauthorized queries and take appropriate action."], "summary": {"action": "Apply Patch", "impact": "Database Compromise"}, "threat_synthesis": {"affected_systems": "WordPress sites using the Product Filter for WooCommerce plugin by WBW with versions older than 3.1.3 are affected.", "description_and_impact": "The Product Filter for WooCommerce plugin before version 3.1.3 fails to sanitize a user-supplied parameter, enabling unauthenticated SQL injection. Attackers can inject arbitrary SQL, potentially retrieving, modifying, or deleting database contents, jeopardizing confidential data and site integrity.", "risk_and_exploitability": "Because the vulnerability is unauthenticated and exploits a publicly accessible input, the attack vector is likely remote via HTTP requests. The exploitation does not require additional privileges; any site visitor can send the malicious payload. Without a CVSS or EPSS score, the risk assessment relies on the inherent severity of unauthenticated SQL injection, which is high. The vulnerability is not currently listed in CISA\u2019s KEV catalog, but the potential for data breaches remains significant."}}}}, "created": "2026-04-13T12:36:58.386506+00:00", "updated": "2026-04-13T12:52:46.546206+00:00", "vendors": ["wbw", "wbw$PRODUCT$product_filter_for_woocommerce", "wordpress", "wordpress$PRODUCT$wordpress"], "weaknesses": ["CWE-89"]}