Platform
wordpress
Component
woofilter-pro
Fixed in
2.9.6
CVE-2025-39496 identifies a SQL Injection vulnerability within the WooBeWoo Product Filter Pro WordPress plugin. This flaw allows attackers to inject malicious SQL code, potentially gaining unauthorized access to the database and compromising sensitive data. The vulnerability impacts versions prior to 2.9.6, and a patch is available in version 2.9.6.
Successful exploitation of CVE-2025-39496 can have severe consequences. An attacker could leverage SQL injection to bypass authentication, retrieve sensitive user data (usernames, passwords, email addresses, order information), modify database content, or even execute arbitrary commands on the server. The blast radius extends to all users of the affected WordPress site, and the potential for data exfiltration and website defacement is high. This vulnerability shares similarities with other SQL injection flaws where attackers can manipulate database queries to gain unauthorized access.
CVE-2025-39496 was publicly disclosed on 2025-08-28. The vulnerability's criticality (CVSS 9.3) and the ease of SQL injection exploitation suggest a potential for active exploitation. While no public proof-of-concept (PoC) code has been widely reported, the availability of the vulnerability details increases the risk of exploitation by malicious actors. Its inclusion in the NVD is pending.
Exploit Status
EPSS
0.03% (10% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-39496 is to immediately upgrade WooBeWoo Product Filter Pro to version 2.9.6 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing temporary workarounds such as input validation and sanitization on all user-supplied data used in SQL queries. Web application firewalls (WAFs) configured with SQL injection rules can also provide a layer of protection. Monitor WordPress logs for suspicious SQL queries that might indicate an attempted exploitation.
Update the WooBeWoo Product Filter Pro plugin to version 2.9.6 or higher to mitigate the SQL Injection vulnerability. Verify that all instances of the plugin are updated to prevent potential attacks. Consider implementing additional security measures, such as input validation, to strengthen protection against future vulnerabilities.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-39496 is a critical SQL Injection vulnerability affecting WooBeWoo Product Filter Pro versions before 2.9.6, allowing attackers to manipulate database queries.
If you are using WooBeWoo Product Filter Pro versions earlier than 2.9.6, you are vulnerable to this SQL Injection flaw.
Upgrade WooBeWoo Product Filter Pro to version 2.9.6 or later to patch the SQL Injection vulnerability. Consider temporary workarounds if immediate upgrade is not possible.
While no widespread exploitation has been confirmed, the vulnerability's criticality and public disclosure increase the risk of exploitation.
Refer to the WooBeWoo Product Filter Pro official website or WordPress plugin repository for the latest security advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.