PatchSiren cyber security CVE debrief
CVE-2026-39494 WBW Plugins CVE debrief
A critical vulnerability was discovered in the Product Filter by WBW WordPress plugin, affecting versions from n/a through 3.1.2. This vulnerability, tracked as CVE-2026-39494, is an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') issue, which allows for Blind SQL Injection attacks. The vulnerability has a CVSS score of 9.3 and is considered CRITICAL.
- Vendor
- WBW Plugins
- Product
- Product Filter by WBW
- CVSS
- CRITICAL 9.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-11
- Original CVE updated
- 2026-06-12
- Advisory published
- 2026-06-11
- Advisory updated
- 2026-06-12
Who should care
Users of the Product Filter by WBW WordPress plugin, particularly those using versions from n/a through 3.1.2, should be aware of this vulnerability and take necessary actions to mitigate the risk.
Technical summary
The vulnerability is caused by improper neutralization of special elements used in an SQL command, allowing for Blind SQL Injection attacks. The CVSS vector for this vulnerability is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L.
Defensive priority
High
Recommended defensive actions
- Update the Product Filter by WBW plugin to a version that is not vulnerable.
- Refer to resourceLinkAnnotations for more information: {ref-4}.
Evidence notes
The vulnerability was reported by [email protected] and is publicly listed on CVE.org and NVD.
Official resources
-
CVE-2026-39494 CVE record
CVE.org
-
CVE-2026-39494 NVD detail
NVD
-
Source item URL
nvd_modified
- Mitigation or vendor reference
CVE-2026-39494 was published on {cvePublishedAt} and modified on {cveModifiedAt}.