Local File Inclusion Vulnerability in HUSKY Products Filter for WooCommerce by WordPress

CVE-2025-1661

What is CVE-2025-1661?

CVE-2025-1661 is a critical vulnerability found in the HUSKY – Products Filter Professional plugin for WooCommerce, widely used within WordPress sites. This vulnerability allows unauthorized attackers to perform Local File Inclusion (LFI) through manipulation of the 'template' parameter in the woof_text_search AJAX action. By exploiting this flaw, attackers can include and execute arbitrary files on the server, leading to significant security risks for organizations utilizing this plugin. Unmitigated, this vulnerability could lead to unauthorized access to sensitive data, disruption of services, and the execution of malicious code.

Technical Details

The Local File Inclusion vulnerability in CVE-2025-1661 affects all versions of the HUSKY – Products Filter plugin up to and including version 1.3.6.5. The vulnerability arises from inadequate input validation of the 'template' parameter used in AJAX calls. Attackers can exploit this weakness to gain access to the file system of the server hosting the WordPress site. By including arbitrary files, they may execute PHP code, which could potentially compromise the integrity of the entire server. This security flaw places all versions of this plugin at risk until the vendors release a patch to address the issue.

Potential Impact of CVE-2025-1661

1. Unauthorized Code Execution: Attackers can execute arbitrary code on the server, potentially leading to complete system compromise and the disruption of services.

2. Data Breaches: Successful exploitation of this vulnerability could allow attackers to access sensitive data stored on the server, including customer information, payment details, and proprietary data.

3. Access Control Bypass: Attackers can bypass existing access controls, increasing the risk of further exploitation within the server environment and potentially leading to a domino effect of security breaches.

References