プラットフォーム
wordpress
コンポーネント
woocommerce-products-filter
修正版
1.3.7
CVE-2025-1661 is a critical Local File Inclusion (LFI) vulnerability affecting the HUSKY – Products Filter Professional for WooCommerce plugin. This vulnerability allows unauthenticated attackers to include and execute arbitrary files on the server, potentially leading to complete system compromise. The vulnerability impacts versions 0.0.0 through 1.3.6.5. A patch is expected from the vendor.
The impact of CVE-2025-1661 is severe. An attacker exploiting this LFI vulnerability can execute arbitrary PHP code on the server hosting the WordPress site. This allows them to bypass access controls, steal sensitive data (including user credentials, database information, and potentially even source code), and potentially gain full control of the web server. The ability to execute arbitrary code opens the door to a wide range of malicious activities, including installing malware, creating backdoors, and defacing the website. This vulnerability shares similarities with other LFI exploits where attackers leverage file inclusion to gain code execution, but the specific impact depends on the server's configuration and the attacker's skill.
CVE-2025-1661 was publicly disclosed on 2025-03-11. No public proof-of-concept (PoC) code has been released at the time of writing, but the vulnerability's nature makes it likely that a PoC will emerge. The EPSS score is likely to be medium to high, given the ease of exploitation and the potential for significant impact. It is not currently listed on the CISA KEV catalog.
WordPress websites using the HUSKY – Products Filter Professional for WooCommerce plugin, particularly those running older, unpatched versions (0.0.0–1.3.6.5). Shared hosting environments are at increased risk, as they often have limited control over server configurations and plugin updates. Sites with weak file access controls are also more vulnerable.
• wordpress / composer / npm:
grep -r 'woof_text_search' /var/www/html/wp-content/plugins/• generic web:
curl -I http://your-wordpress-site.com/wp-admin/admin-ajax.php?action=woof_text_search&template=../../../../../../etc/passwd | head -n 1• wordpress / composer / npm:
wp plugin list | grep HUSKYdisclosure
エクスプロイト状況
EPSS
91.45% (100% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2025-1661 is to immediately upgrade the HUSKY – Products Filter Professional for WooCommerce plugin to a patched version when available. Until a patch is released, consider temporarily disabling the plugin to reduce the attack surface. As a short-term workaround, implement strict file access controls on the WordPress server to limit the ability to include arbitrary files. Web Application Firewalls (WAFs) configured to detect and block attempts to include files outside of designated directories can also provide some protection. Monitor WordPress access logs for suspicious activity, particularly requests containing unusual file paths or extensions.
認証されていないローカルファイルインクルージョンの脆弱性を軽減するために、HUSKY – Products Filter Professional for WooCommerceプラグインを最新バージョンにアップデートしてください。具体的なアップデート手順については、プラグインのリリースノートを確認してください。また、機密ファイルへのアクセス制限や、ユーザーからのすべての入力の検証など、追加のセキュリティ対策の導入も検討してください。
脆弱性分析と重要アラートをメールでお届けします。
CVE-2025-1661 is a critical Local File Inclusion vulnerability in the HUSKY – Products Filter Professional for WooCommerce plugin, allowing attackers to execute arbitrary PHP code.
You are affected if your WordPress site uses the HUSKY – Products Filter Professional for WooCommerce plugin and is running a version between 0.0.0 and 1.3.6.5.
Upgrade the HUSKY – Products Filter Professional for WooCommerce plugin to the latest available version as soon as a patch is released. Temporarily disable the plugin as a short-term mitigation.
While no active exploitation has been confirmed, the vulnerability's ease of exploitation suggests it is likely to be targeted.
Check the HUSKY website and WordPress plugin repository for updates and advisories related to CVE-2025-1661.
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。