平台
wordpress
组件
woocommerce-products-filter
修复版本
1.3.7
CVE-2025-1661 is a critical Local File Inclusion (LFI) vulnerability affecting the HUSKY – Products Filter Professional for WooCommerce plugin. This vulnerability allows unauthenticated attackers to include and execute arbitrary files on the server, potentially leading to complete system compromise. The vulnerability impacts versions 0.0.0 through 1.3.6.5. A patch is expected from the vendor.
The impact of CVE-2025-1661 is severe. An attacker exploiting this LFI vulnerability can execute arbitrary PHP code on the server hosting the WordPress site. This allows them to bypass access controls, steal sensitive data (including user credentials, database information, and potentially even source code), and potentially gain full control of the web server. The ability to execute arbitrary code opens the door to a wide range of malicious activities, including installing malware, creating backdoors, and defacing the website. This vulnerability shares similarities with other LFI exploits where attackers leverage file inclusion to gain code execution, but the specific impact depends on the server's configuration and the attacker's skill.
CVE-2025-1661 was publicly disclosed on 2025-03-11. No public proof-of-concept (PoC) code has been released at the time of writing, but the vulnerability's nature makes it likely that a PoC will emerge. The EPSS score is likely to be medium to high, given the ease of exploitation and the potential for significant impact. It is not currently listed on the CISA KEV catalog.
WordPress websites using the HUSKY – Products Filter Professional for WooCommerce plugin, particularly those running older, unpatched versions (0.0.0–1.3.6.5). Shared hosting environments are at increased risk, as they often have limited control over server configurations and plugin updates. Sites with weak file access controls are also more vulnerable.
• wordpress / composer / npm:
grep -r 'woof_text_search' /var/www/html/wp-content/plugins/• generic web:
curl -I http://your-wordpress-site.com/wp-admin/admin-ajax.php?action=woof_text_search&template=../../../../../../etc/passwd | head -n 1• wordpress / composer / npm:
wp plugin list | grep HUSKYdisclosure
漏洞利用状态
EPSS
91.45% (100% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2025-1661 is to immediately upgrade the HUSKY – Products Filter Professional for WooCommerce plugin to a patched version when available. Until a patch is released, consider temporarily disabling the plugin to reduce the attack surface. As a short-term workaround, implement strict file access controls on the WordPress server to limit the ability to include arbitrary files. Web Application Firewalls (WAFs) configured to detect and block attempts to include files outside of designated directories can also provide some protection. Monitor WordPress access logs for suspicious activity, particularly requests containing unusual file paths or extensions.
将 HUSKY – Products Filter Professional for WooCommerce 插件更新到最新可用版本,以缓解未授权本地文件包含漏洞。 请查阅插件的发布说明,以获取具体的更新说明。 考虑实施额外的安全措施,例如限制对敏感文件的访问以及验证所有用户输入。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2025-1661 is a critical Local File Inclusion vulnerability in the HUSKY – Products Filter Professional for WooCommerce plugin, allowing attackers to execute arbitrary PHP code.
You are affected if your WordPress site uses the HUSKY – Products Filter Professional for WooCommerce plugin and is running a version between 0.0.0 and 1.3.6.5.
Upgrade the HUSKY – Products Filter Professional for WooCommerce plugin to the latest available version as soon as a patch is released. Temporarily disable the plugin as a short-term mitigation.
While no active exploitation has been confirmed, the vulnerability's ease of exploitation suggests it is likely to be targeted.
Check the HUSKY website and WordPress plugin repository for updates and advisories related to CVE-2025-1661.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。