Introduction
An unauthenticated time-based SQL injection in the WCAPF WooCommerce Ajax Product Filter plugin gives remote attackers a direct path to extracting sensitive database contents from any affected WooCommerce store, no login required. With over 9,000 active installations and the technical details now public, this is a vulnerability that WooCommerce site operators need to address promptly.
WCAPF (Ajax Product Filter for WooCommerce) is a WordPress plugin that provides AJAX powered product filtering for WooCommerce storefronts, allowing customers to narrow product listings by attributes such as price, category, and author. While not among the largest WooCommerce extensions, its 9,000+ active installations mean a meaningful number of e-commerce sites are potentially exposed. The plugin is maintained by a single developer, Mainul Hassan, and is listed on the official WordPress plugin repository.
Technical Information
CVE-2026-3396 is classified under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command). The root cause is straightforward: the plugin fails to properly escape user supplied input and does not use prepared statements when constructing SQL queries that include the post-author filter parameter.
Vulnerable Code Path
The vulnerability resides in class-wcapf-product-filter.php. The plugin retrieves filter parameters by calling parse_str on the raw $_SERVER['QUERY_STRING'], which populates variables directly from the URL without any sanitization layer. When the filter_type is post-author, the extracted value flows into SQL query construction logic at multiple points in the file (lines 65, 81, 689, and 739 are all referenced in the advisory).
Because the value is neither escaped nor passed through WordPress's $wpdb->prepare() method, an attacker can inject arbitrary SQL fragments into the query.
Attack Flow
The exploitation sequence works as follows:
-
Reconnaissance: The attacker identifies a WooCommerce site running WCAPF version 4.2.3 or earlier. Plugin detection is trivial through standard WordPress fingerprinting techniques.
-
Payload Delivery: The attacker crafts an HTTP request to the site's product filter endpoint, injecting a time-based blind SQL injection payload into the
post-authorquery string parameter. No authentication cookies or tokens are needed. -
Query Manipulation: The plugin's
class-wcapf-product-filter.phpparses the query string and passes the taintedpost-authorvalue directly into a SQL query. The injected SQL is appended to the existing query and executed against the WordPress database. -
Data Extraction: By measuring response time differences (the hallmark of time-based blind SQLi), the attacker can infer database contents one character at a time. Targets include the
wp_userstable (usernames, password hashes, email addresses), WooCommerce order tables (customer names, addresses, order details), and any other data stored in the WordPress database.
CVSS Breakdown
The CVSS 3.1 score of 7.5 reflects the following vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N.
| Metric | Value | Description |
|---|---|---|
| Attack Vector | Network | Exploitable remotely over the internet |
| Attack Complexity | Low | No specialized conditions required |
| Privileges Required | None | Unauthenticated exploitation |
| User Interaction | None | No victim interaction needed |
| Scope | Unchanged | Confined to the vulnerable component |
| Confidentiality | High | Full database extraction possible |
| Integrity | None | No direct data modification |
| Availability | None | No denial of service impact |
The scoring confirms that the sole impact axis is confidentiality, which is especially consequential for e-commerce databases containing customer PII and payment metadata.
Affected Systems and Versions
All versions of the WCAPF (WooCommerce Ajax Product Filter) plugin up to and including version 4.2.3 are vulnerable. The vulnerability was patched in version 4.3.0, released on March 16, 2026. The latest available version at the time of writing is 4.4.0.
Specifically:
- Vulnerable: WCAPF versions <= 4.2.3
- Patched: WCAPF version 4.3.0 and later
- Recommended: WCAPF version 4.4.0 (latest, includes additional escaping and coding standards improvements)
- Platform: WordPress sites running WooCommerce with the WCAPF plugin active
- Tested compatibility: WordPress up to version 6.9.4
Vendor Security History
CVE-2026-3396 is the only cataloged vulnerability for the WCAPF plugin in the Wordfence threat intelligence database. This suggests a generally clean security track record for the plugin. The vendor responded well to this disclosure: the patch in version 4.3.0 was released approximately three weeks before Wordfence publicly disclosed the vulnerability on April 7, 2026, indicating responsible coordination between the researcher and the maintainer.
That said, the plugin is maintained by a single developer, which is a common pattern in the WordPress ecosystem and one that warrants additional caution. Organizations relying on single maintainer plugins should ensure they have automated update mechanisms or monitoring in place.
References
- Wordfence Threat Intel: WCAPF <= 4.2.3 Unauthenticated Time-Based SQL Injection
- NVD Entry for CVE-2026-3396
- CVE Record: CVE-2026-3396
- Vulnerable Source: class-wcapf-product-filter.php (Line 65)
- Vulnerable Source: class-wcapf-product-filter.php (Line 81)
- Vulnerable Source: class-wcapf-product-filter.php (Line 689)
- Vulnerable Source: class-wcapf-product-filter.php (Line 739)
- WordPress Plugin Repository Changeset 3484080
- WCAPF Plugin Page on WordPress.org
- Developer Profile: Mainul Hassan (shamimmoeen)
- Wordfence: All Vulnerabilities for WCAPF
