CVE-2026-3396
published 2026-04-08CVE-2026-3396: WCAPF – WooCommerce Ajax Product Filter plugin is vulnerable to time-based SQL Injection via the 'post-author' parameter in all versions up to, and including…
PriorityP261high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
1.47%
70.6th percentile
WCAPF – WooCommerce Ajax Product Filter plugin is vulnerable to time-based SQL Injection via the 'post-author' parameter in all versions up to, and including, 4.2.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| shamimmoeen | wcapf_ajax_product_filter_for_woocommerce | <= 4.2.3 | — |
Detection & IOCsextracted from sources · hover to see the quote
sigma
title: WCAPF WooCommerce Ajax Product Filter - SQL Injection
detection:
selection:
- 'contains(body, "No results found")'
- 'status_code == 200'
condition: and- →Monitor HTTP requests targeting the WCAPF plugin's 'post-author' parameter for time-based SQL Injection payloads (e.g., SLEEP/BENCHMARK injections). No authentication is required — flag unauthenticated requests manipulating this parameter. ↗
- →A nuclei-style template fingerprints exploitation by checking for 'No results found' in the response body with HTTP 200 status — alert on this combination when the 'post-author' parameter contains SQL metacharacters (e.g., single quote followed by numeric comparison).
- →Scope detection to WCAPF WooCommerce Ajax Product Filter plugin versions up to and including 4.2.3; requests to the plugin's Ajax endpoint with a manipulated 'post-author' value are the primary attack surface. ↗
- ·The vulnerability is exploitable by unauthenticated users, meaning no session or privilege level filtering will reduce exposure — WAF/IDS rules must cover unauthenticated request paths to the plugin endpoint. ↗
- ·The nuclei template digest (4a0a00473045...) can be used to verify template integrity but is not itself an attack IOC; do not block on this value in network traffic.
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
WCAPF WooCommerce Ajax Product Filter - SQL Injection
nuclei·CVSS 7.5
CVE-2026-3396 [HIGH] WCAPF WooCommerce Ajax Product Filter - SQL Injection
WCAPF WooCommerce Ajax Product Filter - SQL Injection
WCAPF WooCommerce Ajax Product Filter =6'
- 'contains(body, "No results found")'
- 'status_code == 200'
condition: and
# digest: 4a0a00473045022100de5a30c95c9d195384ec4e74e52a20ea971e000679744d071c7c059e716ab11202204805c16af378cc8da38b977a14ac2eb13b45143b604e1e0b66c5ecc9d2ecb51a:922c64590222798bb761d5b6d8e72950
https://plugins.trac.wordpress.org/browser/wc-ajax-product-filter/trunk/includes/class-wcapf-product-filter.php#L65https://plugins.trac.wordpress.org/browser/wc-ajax-product-filter/trunk/includes/class-wcapf-product-filter.php#L689https://plugins.trac.wordpress.org/browser/wc-ajax-product-filter/trunk/includes/class-wcapf-product-filter.php#L739https://plugins.trac.wordpress.org/browser/wc-ajax-product-filter/trunk/includes/class-wcapf-product-filter.php#L81https://plugins.trac.wordpress.org/changeset/3484080/https://www.wordfence.com/threat-intel/vulnerabilities/id/ee0a762e-9159-4dab-a7be-9cbe332effb1?source=cve
2026-04-08
Published