Platform
wordpress
Component
woocommerce-products-filter
Fixed in
1.3.6
CVE-2024-32680 is a Remote Code Execution (RCE) vulnerability discovered in the HUSKY – Products Filter for WooCommerce plugin, formerly known as WOOF. This flaw allows attackers to include malicious files and inject code, potentially leading to full system compromise. The vulnerability impacts versions of the plugin from its initial release through 1.3.5.2. A patch is available in version 1.3.6.
Successful exploitation of CVE-2024-32680 allows an attacker to execute arbitrary code on a WordPress website hosting the vulnerable plugin. This can lead to complete server takeover, data theft, defacement, or the installation of malware. The path traversal and code injection mechanisms provide a flexible attack surface, enabling attackers to upload and execute malicious scripts. Given the plugin's function as a product filter, attackers could potentially target e-commerce data, customer information, and administrative credentials. The blast radius extends to the entire WordPress installation and potentially connected systems if the server is compromised.
CVE-2024-32680 was publicly disclosed on May 17, 2024. While no active exploitation campaigns have been publicly confirmed, the RCE nature of the vulnerability and the availability of a public advisory suggest a high probability of exploitation. The vulnerability is not currently listed on CISA KEV. Public proof-of-concept exploits are likely to emerge, increasing the risk of widespread exploitation.
Exploit Status
EPSS
2.48% (85% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-32680 is to immediately upgrade the HUSKY – Products Filter for WooCommerce plugin to version 1.3.6 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider temporarily restricting access to the plugin's file upload functionality. Web Application Firewalls (WAFs) configured to detect and block path traversal attempts (e.g., '../') and suspicious file uploads can provide an additional layer of defense. Monitor WordPress access logs for unusual file access patterns or attempts to execute arbitrary code.
Actualice el plugin HUSKY – Products Filter for WooCommerce a la última versión disponible. Si no hay una versión disponible que corrija la vulnerabilidad, considere deshabilitar o eliminar el plugin hasta que se publique una actualización. Consulte el sitio web del proveedor para obtener más información y actualizaciones de seguridad.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-32680 is a Remote Code Execution vulnerability affecting versions of the HUSKY – Products Filter for WooCommerce plugin up to 1.3.5.2, allowing attackers to execute arbitrary code.
You are affected if you are using HUSKY – Products Filter for WooCommerce version 1.3.5.2 or earlier. Check your plugin version and update immediately.
Upgrade the HUSKY – Products Filter for WooCommerce plugin to version 1.3.6 or later to resolve this vulnerability.
While no active exploitation campaigns have been confirmed, the vulnerability's severity and public disclosure suggest a high probability of exploitation.
Refer to the official plugin documentation and the WooCommerce security advisory for updates and further information: https://woofcommerce.com/blog/security-update-for-husky-products-filter-woocommerce/
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.