{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3396", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-02-28T21:12:43.762Z", "datePublished": "2026-04-08T11:16:58.886Z", "dateUpdated": "2026-04-08T17:53:21.100Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:31:43.335Z"}, "affected": [{"vendor": "shamimmoeen", "product": "WCAPF \u2013 Ajax Product Filter for WooCommerce", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "4.2.3", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "WCAPF \u2013 WooCommerce Ajax Product Filter plugin is vulnerable to time-based SQL Injection via the 'post-author' parameter in all versions up to, and including, 4.2.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database."}], "title": "WCAPF \u2013 WooCommerce Ajax Product Filter <= 4.2.3 - Unauthenticated Time-Based SQL Injection", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ee0a762e-9159-4dab-a7be-9cbe332effb1?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wc-ajax-product-filter/trunk/includes/class-wcapf-product-filter.php#L739"}, {"url": "https://plugins.trac.wordpress.org/browser/wc-ajax-product-filter/trunk/includes/class-wcapf-product-filter.php#L689"}, {"url": "https://plugins.trac.wordpress.org/browser/wc-ajax-product-filter/trunk/includes/class-wcapf-product-filter.php#L81"}, {"url": "https://plugins.trac.wordpress.org/browser/wc-ajax-product-filter/trunk/includes/class-wcapf-product-filter.php#L65"}, {"url": "https://plugins.trac.wordpress.org/changeset/3484080/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "cweId": "CWE-89", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Youssef Elouaer"}], "timeline": [{"time": "2026-04-07T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-08T17:52:52.873386Z", "id": "CVE-2026-3396", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T17:53:21.100Z"}}]}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "WCAPF \u2013 WooCommerce Ajax Product Filter plugin is vulnerable to time-based SQL Injection via the 'post-author' parameter in all versions up to, and including, 4.2.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database."}], "id": "CVE-2026-3396", "lastModified": "2026-04-08T21:26:13.410", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-08T12:16:21.763", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wc-ajax-product-filter/trunk/includes/class-wcapf-product-filter.php#L65"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wc-ajax-product-filter/trunk/includes/class-wcapf-product-filter.php#L689"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wc-ajax-product-filter/trunk/includes/class-wcapf-product-filter.php#L739"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wc-ajax-product-filter/trunk/includes/class-wcapf-product-filter.php#L81"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3484080/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ee0a762e-9159-4dab-a7be-9cbe332effb1?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,4.2.3]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "WCAPF \u2013 Ajax Product Filter for WooCommerce", "source": "cna", "vendor": "shamimmoeen"}, "product": "wcapf_\u2013_ajax_product_filter_for_woocommerce", "vendor": "shamimmoeen"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-08T12:21:21.518446+00:00", "value": {"mitigation_remediation": ["Update the WCAPF \u2013 Ajax Product Filter plugin to the latest available version that removes the unsanitized 'post-author' input.", "If an immediate update is not possible, restrict unauthenticated access to the AJAX product filter endpoint or remove the 'post-author' parameter from the query altogether.", "Consider implementing a web application firewall rule that blocks suspicious SQL injection patterns on the affected endpoint.", "Verify that the WordPress core and other plugins are up\u2011to\u2011date to reduce the overall attack surface."], "summary": {"action": "Patch / Update", "impact": "Unauthenticated time\u2011based SQL injection enabling database data exfiltration"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the WCAPF \u2013 Ajax Product Filter for WooCommerce plugin released by shamimmoeen. All installed instances of the plugin with a version number of 4.2.3 or earlier are susceptible. Any WordPress site that has not upgraded beyond this version is at risk.", "description_and_impact": "The WCAPF \u2013 Ajax Product Filter plugin for WooCommerce contains a gateway that does not properly escape the user supplied 'post-author' parameter, allowing a time\u2011based SQL injection to be injected into the underlying database query. This weakness, identified as CWE\u201189, permits an attacker to append arbitrary SQL that can probe and extract sensitive information from the database. As the vulnerability is exploitable by unauthenticated users and can reveal confidential data, it represents a serious threat to the confidentiality and integrity of the site\u2019s data.", "risk_and_exploitability": "The CVSS score of 7.5 classifies the flaw as high severity. While an EPSS score is not available and it is not listed in the KEV database, the fact that it is unauthenticated and leverages a time\u2011based technique implies an attacker can probe the database without detection by forcing delay responses. The likely attack vector is the AJAX product filter endpoint, where the 'post-author' parameter is passed directly to the database. Exploitation requires only sending a crafted HTTP request; no additional privileges are necessary."}}}}, "created": "2026-04-08T19:27:09.639246+00:00", "updated": "2026-04-08T19:39:46.549207+00:00", "vendors": ["shamimmoeen", "shamimmoeen$PRODUCT$wcapf_\u2013_ajax_product_filter_for_woocommerce", "wordpress", "wordpress$PRODUCT$wordpress"]}