Plattform
wordpress
Komponente
woocommerce-products-filter
Behoben in
1.3.7
CVE-2025-1661 is a critical Local File Inclusion (LFI) vulnerability affecting the HUSKY – Products Filter Professional for WooCommerce plugin. This vulnerability allows unauthenticated attackers to include and execute arbitrary files on the server, potentially leading to complete system compromise. The vulnerability impacts versions 0.0.0 through 1.3.6.5. A patch is expected from the vendor.
The impact of CVE-2025-1661 is severe. An attacker exploiting this LFI vulnerability can execute arbitrary PHP code on the server hosting the WordPress site. This allows them to bypass access controls, steal sensitive data (including user credentials, database information, and potentially even source code), and potentially gain full control of the web server. The ability to execute arbitrary code opens the door to a wide range of malicious activities, including installing malware, creating backdoors, and defacing the website. This vulnerability shares similarities with other LFI exploits where attackers leverage file inclusion to gain code execution, but the specific impact depends on the server's configuration and the attacker's skill.
CVE-2025-1661 was publicly disclosed on 2025-03-11. No public proof-of-concept (PoC) code has been released at the time of writing, but the vulnerability's nature makes it likely that a PoC will emerge. The EPSS score is likely to be medium to high, given the ease of exploitation and the potential for significant impact. It is not currently listed on the CISA KEV catalog.
WordPress websites using the HUSKY – Products Filter Professional for WooCommerce plugin, particularly those running older, unpatched versions (0.0.0–1.3.6.5). Shared hosting environments are at increased risk, as they often have limited control over server configurations and plugin updates. Sites with weak file access controls are also more vulnerable.
• wordpress / composer / npm:
grep -r 'woof_text_search' /var/www/html/wp-content/plugins/• generic web:
curl -I http://your-wordpress-site.com/wp-admin/admin-ajax.php?action=woof_text_search&template=../../../../../../etc/passwd | head -n 1• wordpress / composer / npm:
wp plugin list | grep HUSKYdisclosure
Exploit-Status
EPSS
91.45% (100% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-1661 is to immediately upgrade the HUSKY – Products Filter Professional for WooCommerce plugin to a patched version when available. Until a patch is released, consider temporarily disabling the plugin to reduce the attack surface. As a short-term workaround, implement strict file access controls on the WordPress server to limit the ability to include arbitrary files. Web Application Firewalls (WAFs) configured to detect and block attempts to include files outside of designated directories can also provide some protection. Monitor WordPress access logs for suspicious activity, particularly requests containing unusual file paths or extensions.
Actualice el plugin HUSKY – Products Filter Professional for WooCommerce a la última versión disponible para mitigar la vulnerabilidad de inclusión de archivos locales no autenticados. Verifique las notas de la versión del plugin para obtener instrucciones específicas de actualización. Considere implementar medidas de seguridad adicionales, como restringir el acceso a archivos sensibles y validar todas las entradas del usuario.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-1661 is a critical Local File Inclusion vulnerability in the HUSKY – Products Filter Professional for WooCommerce plugin, allowing attackers to execute arbitrary PHP code.
You are affected if your WordPress site uses the HUSKY – Products Filter Professional for WooCommerce plugin and is running a version between 0.0.0 and 1.3.6.5.
Upgrade the HUSKY – Products Filter Professional for WooCommerce plugin to the latest available version as soon as a patch is released. Temporarily disable the plugin as a short-term mitigation.
While no active exploitation has been confirmed, the vulnerability's ease of exploitation suggests it is likely to be targeted.
Check the HUSKY website and WordPress plugin repository for updates and advisories related to CVE-2025-1661.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.