CVE Alert: CVE-2025-8416 - woobewoo - Product Filter by WBW

CVE-2025-8416

HIGHNo exploitation known

The Product Filter by WBW plugin for WordPress is vulnerable to SQL Injection via the ‘filtersDataBackend’ parameter in all versions up to, and including, 2.9.7. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

CVSS v3.1 (7.5)

Vendor

woobewoo

Product

Product Filter by WBW

Versions

* lte 2.9.7

CWE

CWE-89, CWE-89 Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Published

2025-10-25T06:49:24.974Z

Updated

2025-10-25T06:49:24.974Z

References

https://www.wordfence.com/threat-intel/vulnerabilities/id/d1533e9a-dcb9-4fbb-a1a7-7f4dafd3a1c8?source=cve

https://plugins.trac.wordpress.org/browser/woo-product-filter/tags/2.8.6/modules/woofilters/mod.php#L2056

https://plugins.trac.wordpress.org/browser/woo-product-filter/tags/2.8.6/modules/woofilters/controller.php#L136

https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3370655%40woo-product-filter&new=3370655%40woo-product-filter&sfp_email=&sfph_mail=

AI Summary Analysis

Risk verdict

High risk: unauthenticated, network-accessible SQL injection in the WordPress plugin could expose database contents.

Why this matters

The vulnerability permits data exfiltration without user credentials, risking sensitive customer, financial, or site data. It enables attackers to read (and potentially combine) database information, compromising confidentiality and potentially triggering regulatory or reputational fallout. Exploitation could occur at scale on sites with exposed instances of the plugin.

Most likely attack path

An unauthenticated attacker can send crafted input to the vulnerable parameter, causing the application to append or alter SQL commands. No user interaction or privileges are required, and the scope remains on the database layer, making containment challenging if the attacker can reach the site.

Who is most exposed

WordPress deployments using this legacy plugin, especially on self-hosted or under-patched sites, hosted on shared or exposed environments with older plugin copies; e-commerce or membership sites are at particular risk due to richer data stores.

Detection ideas

Monitor for unusual SQL error messages or evidence of unintended query chaining in app logs.
Look for repeated or anomalous requests targeting the filtersDataBackend parameter.
Detect spikes in large data transfers or abnormal query latency to the database.
WAF/IPS alerts for SQLi patterns related to this parameter.

Mitigation and prioritisation

Patch promptly to the latest plugin version or remove/replace the vulnerable component.
If patching isn’t feasible, disable the plugin and implement compensating controls (denylists for the parameter, enhanced input validation, and WAF rules).
Validate backups and perform post-remediation integrity checks on the database.
Apply a staged change-management plan and test in a staging environment before production rollout.
Consider limiting direct external access to the WordPress instance and monitor for suspicious query patterns.

Support Our Work

A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on Patreon or Buy Me A Coffee using the buttons below.

AI APIs OSINT driven New features

Buy Me A Coffee Patreon

Tags: CVE, cve-2025-8416, OSINT, product-filter-by-wbw, threatintel, woobewoo