CVE-2026-3138

The Product Filter for WooCommerce by WBW plugin for WordPress is vulnerable to unauthorized data loss due to a missing capability check in all versions up to, and including, 3.1.2. This is due to the plugin's MVC framework dynamically registering unauthenticated AJAX handlers via wp ajax nopriv hooks without verifying user capabilities, combined with the base controller's call() magic method forwarding undefined method calls to the model layer, and the havePermissions() method defaulting to true when no permissions are explicitly defined. This makes it possible for unauthenticated attackers to truncate the plugin's wp wpf filters database table via a crafted AJAX request with action=delete, permanently destroying all filter configurations.