Platform
wordpress
Component
woocommerce-products-filter
Opgelost in
1.3.7
CVE-2025-1661 is a critical Local File Inclusion (LFI) vulnerability affecting the HUSKY – Products Filter Professional for WooCommerce plugin. This vulnerability allows unauthenticated attackers to include and execute arbitrary files on the server, potentially leading to complete system compromise. The vulnerability impacts versions 0.0.0 through 1.3.6.5. A patch is expected from the vendor.
The impact of CVE-2025-1661 is severe. An attacker exploiting this LFI vulnerability can execute arbitrary PHP code on the server hosting the WordPress site. This allows them to bypass access controls, steal sensitive data (including user credentials, database information, and potentially even source code), and potentially gain full control of the web server. The ability to execute arbitrary code opens the door to a wide range of malicious activities, including installing malware, creating backdoors, and defacing the website. This vulnerability shares similarities with other LFI exploits where attackers leverage file inclusion to gain code execution, but the specific impact depends on the server's configuration and the attacker's skill.
CVE-2025-1661 was publicly disclosed on 2025-03-11. No public proof-of-concept (PoC) code has been released at the time of writing, but the vulnerability's nature makes it likely that a PoC will emerge. The EPSS score is likely to be medium to high, given the ease of exploitation and the potential for significant impact. It is not currently listed on the CISA KEV catalog.
WordPress websites using the HUSKY – Products Filter Professional for WooCommerce plugin, particularly those running older, unpatched versions (0.0.0–1.3.6.5). Shared hosting environments are at increased risk, as they often have limited control over server configurations and plugin updates. Sites with weak file access controls are also more vulnerable.
• wordpress / composer / npm:
grep -r 'woof_text_search' /var/www/html/wp-content/plugins/• generic web:
curl -I http://your-wordpress-site.com/wp-admin/admin-ajax.php?action=woof_text_search&template=../../../../../../etc/passwd | head -n 1• wordpress / composer / npm:
wp plugin list | grep HUSKYdisclosure
Exploit Status
EPSS
91.45% (100% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2025-1661 is to immediately upgrade the HUSKY – Products Filter Professional for WooCommerce plugin to a patched version when available. Until a patch is released, consider temporarily disabling the plugin to reduce the attack surface. As a short-term workaround, implement strict file access controls on the WordPress server to limit the ability to include arbitrary files. Web Application Firewalls (WAFs) configured to detect and block attempts to include files outside of designated directories can also provide some protection. Monitor WordPress access logs for suspicious activity, particularly requests containing unusual file paths or extensions.
Werk de HUSKY – Products Filter Professional for WooCommerce plugin bij naar de laatste beschikbare versie om de kwetsbaarheid voor niet-geauthenticeerde lokale bestand inclusie te mitigeren. Controleer de release notes van de plugin voor specifieke update-instructies. Overweeg aanvullende beveiligingsmaatregelen te implementeren, zoals het beperken van de toegang tot gevoelige bestanden en het valideren van alle gebruikersinvoer.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2025-1661 is a critical Local File Inclusion vulnerability in the HUSKY – Products Filter Professional for WooCommerce plugin, allowing attackers to execute arbitrary PHP code.
You are affected if your WordPress site uses the HUSKY – Products Filter Professional for WooCommerce plugin and is running a version between 0.0.0 and 1.3.6.5.
Upgrade the HUSKY – Products Filter Professional for WooCommerce plugin to the latest available version as soon as a patch is released. Temporarily disable the plugin as a short-term mitigation.
While no active exploitation has been confirmed, the vulnerability's ease of exploitation suggests it is likely to be targeted.
Check the HUSKY website and WordPress plugin repository for updates and advisories related to CVE-2025-1661.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.