CVE-2026-3138

Name of the Vulnerable Software and Affected Versions Product Filter for WooCommerce by WBW versions prior to 3.1.3

Description A missing capability check allows unauthenticated attackers to cause unauthorized data loss. The plugin MVC framework dynamically registers unauthenticated AJAX handlers via wp ajax nopriv hooks without verifying user capabilities. This is combined with the base controller call() magic method forwarding undefined method calls to the model layer, while the havePermissions() method defaults to true when no permissions are explicitly defined. An attacker can truncate the wp wpf filters database table by sending a crafted AJAX request to the endpoint using the action variable set to 'delete', resulting in the permanent destruction of all filter configurations.

Recommendations Update to a version later than 3.1.2.