How is CVE-2026-39494 exploited?

Network reachability (required): The plugin endpoint is exposed over the network, so an attacker must be able to reach the WordPress site via HTTP or HTTPS to deliver the malicious payload. Authentication (not-required): No account or session token of any kind is needed; the vulnerable parameter is accessible to anonymous HTTP requests. Victim interaction (not-required): The attack is fully server-side and requires no action from any site visitor or administrator. Attack complexity (info): Exploitation is reliable and condition-free; no race conditions, memory layout knowledge, or environmental prerequisites are needed.

What is the impact of CVE-2026-39494?

An attacker can extract data from the WordPress database through blind SQL injection, including user credentials (hashed passwords), email addresses, session tokens, and any stored customer or order records. Database integrity is not directly at risk from this vulnerability (Integrity impact is rated None in the CVSS vector), but exfiltrated credentials could enable follow-on account takeover. The Availability impact is rated Low, meaning the attacker can cause intermittent query failures or elevated database load, producing partial service disruption for site visitors. Because the CVSS Scope token is Changed, the impact can extend beyond the plugin itself to other components sharing the same database, such as other installed WordPress plugins or the WordPress core tables.

Back to search

CRITICALCVE-2026-39494Published 2026-06-11Modified 2026-06-12CNA Patchstack

CVE-2026-39494: WordPress Product Filter by WBW plugin <= 3.1.2 - SQL Injection vulnerability

Q: What is CVE-2026-39494?

An unauthenticated SQL injection vulnerability affects the Product Filter by WBW WordPress plugin at version 3.1.2 and below. The flaw is reachable over the network without any login or account, and the attack requires no interaction from a site visitor. Successful exploitation allows an attacker to perform blind SQL injection, reading sensitive data from the underlying database, and can cause limited service disruption. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

Q: Is CVE-2026-39494 patched?

No fix version has been published upstream for this CVE. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the upstream vendor ships a remediated release.

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WBW Plugins Product Filter by WBW allows Blind SQL Injection. This issue affects Product Filter by WBW: from n/a through 3.1.2.

CVSS v3.1: 9.3
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An unauthenticated SQL injection vulnerability affects the Product Filter by WBW WordPress plugin at version 3.1.2 and below. The flaw is reachable over the network without any login or account, and the attack requires no interaction from a site visitor. Successful exploitation allows an attacker to perform blind SQL injection, reading sensitive data from the underlying database, and can cause limited service disruption. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection for CVE-2026-39494 is available across every HarborGuard environment: the CVE is ingested from upstream feeds (including Patchstack) within minutes of publication and matched against customer images in registries and CI pipelines, including custom-built WordPress images that bundle this plugin.

Available

Triage

Triage is available using the CVSS v3.1 score of 9.3 (Critical), with per-environment compliance policy weighting applied to determine severity rank and routing to the appropriate team inbox within each customer organization.

Available

Patch

No fix version has been published upstream for this CVE. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the upstream vendor ships a remediated release.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The plugin endpoint is exposed over the network, so an attacker must be able to reach the WordPress site via HTTP or HTTPS to deliver the malicious payload.
AuthenticationNot required
No account or session token of any kind is needed; the vulnerable parameter is accessible to anonymous HTTP requests.
Victim interactionNot required
The attack is fully server-side and requires no action from any site visitor or administrator.
Attack complexityDetail
Exploitation is reliable and condition-free; no race conditions, memory layout knowledge, or environmental prerequisites are needed.

Blast Radius

An attacker can extract data from the WordPress database through blind SQL injection, including user credentials (hashed passwords), email addresses, session tokens, and any stored customer or order records.
Database integrity is not directly at risk from this vulnerability (Integrity impact is rated None in the CVSS vector), but exfiltrated credentials could enable follow-on account takeover.
The Availability impact is rated Low, meaning the attacker can cause intermittent query failures or elevated database load, producing partial service disruption for site visitors.
Because the CVSS Scope token is Changed, the impact can extend beyond the plugin itself to other components sharing the same database, such as other installed WordPress plugins or the WordPress core tables.

How HarborGuard Handles This

Available on HarborGuard: detection for this Critical-severity SQL injection issue is active across all customer environments that run images containing the Product Filter by WBW plugin at version 3.1.2 or below. Because no upstream fix exists as of the publication date (2026-06-11), HarborGuard is monitoring the Patchstack advisory on every ingest cycle. When a patched release is published, a rebuilt image at the fixed version becomes available automatically; for customers who opt into auto-remediation, this triggers a regression-test run and a PR opened against affected workloads without manual intervention. In the interim, recommended compensating controls include network-policy rules that restrict wp-admin and plugin API endpoints to known IP ranges, web application firewall rules targeting SQL metacharacter patterns in filter parameters, and disabling the plugin entirely where product-filter functionality is not essential. Customers can review which images include this plugin using the HarborGuard package-level search without waiting for a patched release.

See how HarborGuard automates this

Affected packages

WBW Plugins / Product Filter by WBW
≤ 3.1.2

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L

References

patchstack.com

Metrics

Get notified