A high-severity vulnerability has been identified in the "Product Filter by WBW" plugin for WordPress. This flaw allows an attacker to manipulate the website's database, potentially leading to the theft, modification, or deletion of sensitive information without needing prior access. Organizations using this plugin are at risk of a data breach and should take immediate action to apply the necessary updates.

The vulnerability is a SQL Injection flaw that exists within the 'filtersDataBackend' parameter of the plugin. An unauthenticated attacker can send a specially crafted request containing malicious SQL queries to this parameter. Because the user-supplied input is not properly sanitized before being used in a database query, the attacker's malicious code is executed directly on the database, granting them the ability to read, modify, or delete database contents.

This vulnerability is rated as High severity with a CVSS score of 7.5. Successful exploitation could lead to a complete compromise of the website's database confidentiality, integrity, and availability. Potential consequences include the exfiltration of sensitive user data (e.g., personal information, hashed passwords), unauthorized modification of website content, and disruption of service. Such an incident could result in significant reputational damage, financial loss, and potential regulatory penalties for non-compliance with data protection standards.

Immediate Action: Immediately identify all WordPress instances using the "Product Filter by WBW" plugin and update it to the latest patched version beyond version 2.0. If the plugin is not essential for business operations, consider deactivating and removing it entirely to eliminate the attack surface.

Proactive Monitoring: Monitor web server and Web Application Firewall (WAF) logs for suspicious requests targeting the application, specifically looking for SQL injection payloads within the 'filtersDataBackend' parameter. Database logs should be reviewed for unusual or unauthorized queries. An increase in error messages or unexpected application behavior could also indicate an attempted or successful attack.

Compensating Controls: If patching cannot be performed immediately, deploy a WAF with a robust ruleset configured to block SQL injection attacks. This can act as a virtual patch by inspecting incoming traffic and blocking malicious requests before they reach the vulnerable plugin. Restrict access to pages utilizing the plugin's functionality where possible.

Public Exploit Available: false

Given the high severity score (CVSS 7.5) and the critical nature of a SQL Injection vulnerability, it is strongly recommended that organizations prioritize the immediate remediation of CVE-2025-8416. All instances of the "Product Filter by WBW" plugin must be updated without delay. Although this vulnerability is not currently listed on the CISA KEV list, its potential for causing a significant data breach warrants urgent attention to prevent compromise.