## Overview
WBW Plugins released an urgent patch for a critical SQL injection flaw in Product Filter by WBW. The vulnerability affects all versions from initial release through 3.1.2. Attackers exploit it via authenticated admin interfaces.
## Technical Details
The flaw stems from unsanitized user input in filter parameters. Attackers craft malicious filter queries that bypass input validation. This enables blind SQL injection. Exploitation requires admin-level access to the WordPress dashboard. The flaw does not affect public-facing search functions.
## Impact
CVSS 9.3 severity reflects high risk. Attackers gain full database access. They can extract sensitive site data, user credentials, or inject malicious content. Compromised sites risk hosting malware or phishing pages. The flaw impacts all sites using the affected plugin version.
## Mitigation
Update Product Filter by WBW to version 3.1.3 immediately. Administrators must verify the update completes. Disable the plugin if immediate update is impossible. Monitor server logs for SQL injection attempts. Check for unauthorized database changes. Ensure all WordPress plugins are updated regularly. Do not delay patching this critical flaw. The vulnerability is actively being exploited in the wild.
CSURFACE Threat Sensor