Platform
wordpress
Component
woocommerce-products-filter
Fixed in
1.3.7
CVE-2024-6457 describes a critical SQL Injection vulnerability affecting the HUSKY – Products Filter Professional for WooCommerce plugin. This flaw allows unauthenticated attackers to inject malicious SQL queries, potentially leading to data exfiltration and compromise of the WordPress database. The vulnerability impacts versions up to and including 1.3.6. A patch is available; users are strongly advised to upgrade immediately.
The SQL Injection vulnerability in HUSKY – Products Filter Professional for WooCommerce allows attackers to manipulate database queries through the ‘woof_author’ parameter. Successful exploitation could enable attackers to extract sensitive information such as user credentials, customer data, order details, and potentially even gain administrative access to the WordPress site. The impact is particularly severe as the vulnerability is unauthenticated, meaning an attacker does not need valid login credentials to exploit it. This could lead to a complete data breach and compromise of the entire WordPress installation, similar to other SQL Injection attacks that have resulted in significant data loss and reputational damage.
CVE-2024-6457 was publicly disclosed on 2024-07-16. While no active exploitation campaigns have been publicly confirmed, the vulnerability's critical severity and ease of exploitation make it a high-priority target. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are likely to emerge, increasing the risk of widespread exploitation.
Exploit Status
EPSS
8.48% (92% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-6457 is to upgrade the HUSKY – Products Filter Professional for WooCommerce plugin to a version that includes the security fix. If immediate upgrade is not possible due to compatibility issues or breaking changes, consider implementing a Web Application Firewall (WAF) rule to filter requests containing suspicious SQL syntax in the ‘woof_author’ parameter. Additionally, review and harden database user permissions to limit the potential impact of a successful injection. After upgrade, confirm the vulnerability is resolved by attempting a test injection (carefully!) and verifying that it is properly sanitized.
Update the HUSKY – Products Filter Professional for WooCommerce plugin to the latest available version. The SQL Injection vulnerability has been corrected in versions later than 1.3.6. This will prevent unauthenticated attackers from exploiting the vulnerability to extract sensitive information from the database.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-6457 is a critical SQL Injection vulnerability in the HUSKY – Products Filter Professional for WooCommerce plugin, allowing attackers to extract data.
You are affected if you are using HUSKY – Products Filter Professional for WooCommerce version 1.3.6 or earlier.
Upgrade the plugin to the latest version, which includes the security fix. Consider a WAF as a temporary mitigation.
While no active exploitation campaigns have been confirmed, the vulnerability's severity makes it a likely target.
Refer to the official HUSKY website or WordPress plugin repository for the latest advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.