CVE-2026-39494

CRITICAL EXPLOITED

WordPress Product Filter by WBW plugin <= 3.1.2 - SQL Injection vulnerability

Title source: cna

Exploitation Summary

CVE-2026-39494 has been observed exploited in the wild (reported by VulnCheck KEV).

Description

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WBW Plugins Product Filter by WBW allows Blind SQL Injection. This issue affects Product Filter by WBW: from n/a through 3.1.2.

References (1)

Core 1

Core References

Vdb Entry vdb-entry

https://patchstack.com/database/wordpress/plugin/woo-product-filter/vulnerability/wordpress-product-filter-by-wbw-plugin-3-1-2-sql-injection-vulnerability?_s_id=cve

Scores

CVSS v3 9.3

EPSS 0.0039

EPSS Percentile 30.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

VulnCheck KEV 2026-06-11

CWE

CWE-89

Status published

Products (1)

WBW Plugins/Product Filter by WBW < 3.1.2

Published Jun 11, 2026

Tracked Since Jun 12, 2026