Platform
wordpress
Component
woocommerce-products-filter
Fixed in
1.3.7
CVE-2025-1661 is a critical Local File Inclusion (LFI) vulnerability affecting the HUSKY – Products Filter Professional for WooCommerce plugin. This vulnerability allows unauthenticated attackers to include and execute arbitrary files on the server, potentially leading to complete system compromise. The vulnerability impacts versions 0.0.0 through 1.3.6.5. A patch is expected from the vendor.
The impact of CVE-2025-1661 is severe. An attacker exploiting this LFI vulnerability can execute arbitrary PHP code on the server hosting the WordPress site. This allows them to bypass access controls, steal sensitive data (including user credentials, database information, and potentially even source code), and potentially gain full control of the web server. The ability to execute arbitrary code opens the door to a wide range of malicious activities, including installing malware, creating backdoors, and defacing the website. This vulnerability shares similarities with other LFI exploits where attackers leverage file inclusion to gain code execution, but the specific impact depends on the server's configuration and the attacker's skill.
CVE-2025-1661 was publicly disclosed on 2025-03-11. No public proof-of-concept (PoC) code has been released at the time of writing, but the vulnerability's nature makes it likely that a PoC will emerge. The EPSS score is likely to be medium to high, given the ease of exploitation and the potential for significant impact. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
91.45% (100% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-1661 is to immediately upgrade the HUSKY – Products Filter Professional for WooCommerce plugin to a patched version when available. Until a patch is released, consider temporarily disabling the plugin to reduce the attack surface. As a short-term workaround, implement strict file access controls on the WordPress server to limit the ability to include arbitrary files. Web Application Firewalls (WAFs) configured to detect and block attempts to include files outside of designated directories can also provide some protection. Monitor WordPress access logs for suspicious activity, particularly requests containing unusual file paths or extensions.
Update the HUSKY – Products Filter Professional for WooCommerce plugin to the latest available version to mitigate the unauthenticated Local File Inclusion vulnerability. Check the plugin's changelog for specific upgrade instructions. Consider implementing additional security measures, such as restricting access to sensitive files and validating all user input.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-1661 is a critical Local File Inclusion vulnerability in the HUSKY – Products Filter Professional for WooCommerce plugin, allowing attackers to execute arbitrary PHP code.
You are affected if your WordPress site uses the HUSKY – Products Filter Professional for WooCommerce plugin and is running a version between 0.0.0 and 1.3.6.5.
Upgrade the HUSKY – Products Filter Professional for WooCommerce plugin to the latest available version as soon as a patch is released. Temporarily disable the plugin as a short-term mitigation.
While no active exploitation has been confirmed, the vulnerability's ease of exploitation suggests it is likely to be targeted.
Check the HUSKY website and WordPress plugin repository for updates and advisories related to CVE-2025-1661.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.