Introduction
Attackers can extract sensitive customer and administrative data from vulnerable WooCommerce stores using a single unauthenticated web request. Product Filter by WBW, a WordPress plugin with over 50,000 active installations and more than 1.8 million downloads, is widely used to power advanced product filtering on e-commerce sites. CVE-2025-8416 exposes these sites to SQL Injection attacks through a flaw in the filtersDataBackend parameter, with significant risk for data compromise and regulatory exposure.
Technical Information
CVE-2025-8416 arises from insufficient escaping and lack of parameterization in SQL queries constructed from the filtersDataBackend parameter. This parameter is processed by AJAX endpoints in the plugin, which take user-supplied input and incorporate it directly into SQL statements without proper sanitization. As a result, unauthenticated attackers can inject arbitrary SQL code by manipulating this parameter in HTTP requests.
The vulnerability is classified as CWE-89 (Improper Neutralization of Special Elements used in an SQL Command). Exploitation does not require authentication or special privileges. Attackers can use time-based blind SQL Injection techniques by injecting payloads that cause conditional delays in database responses, allowing them to infer database content even if results are not directly returned.
Publicly available code references highlight the affected logic:
The vulnerable code concatenates user input from filtersDataBackend directly into SQL queries, bypassing WordPress's recommended $wpdb->prepare() function for safe query construction. This allows an attacker to craft requests such as:
filtersDataBackend=1' AND SLEEP(5) AND '1'='1
If the database query is executed with the injected SLEEP function, the server's response will be delayed, confirming the injection and enabling attackers to extract data incrementally.
Affected Systems and Versions
- Product Filter by WBW for WordPress
- All versions up to and including 2.9.7
- Vulnerability is present in default plugin configurations
Vendor Security History
WooBeWoo has a history of security issues in Product Filter by WBW:
- CVE-2025-2317: Time-based SQL Injection via filtersDataBackend (versions up to 2.7.9)
- CVE-2025-11269: Missing authorization allowing unauthenticated settings updates (versions up to 3.0.0)
The vendor has released patches for these vulnerabilities, with version 2.9.8 addressing CVE-2025-8416. However, the recurrence of similar flaws suggests ongoing challenges in secure coding and review processes.
