Description
WOOF Products Filter for WooCommerce 1.2.3 contains a persistent cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by entering XSS payloads in design tab textfields. Attackers can inject JavaScript code through fields like 'Text for block toggle' and 'Custom front css styles' that executes on frontend pages when saved, affecting all site visitors.
Published: 2026-05-13
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The WOOF Products Filter plugin for WooCommerce version 1.2.3 contains a persistent cross‑site scripting flaw that lets authenticated administrators insert JavaScript into plugin text fields such as ‘Text for block toggle’ and ‘Custom front css styles’. Those injected scripts are stored in the database and rendered on every front‑end page, exposing each visitor to malicious payloads that can steal credentials, hijack sessions, deface the site, or execute arbitrary client‑side code.

Affected Systems

Only HUSKY: Products Filter Professional for WooCommerce version 1.2.3, distributed under the pluginus framework, is affected. WordPress sites that have installed this exact release and grant logged‑in users access to the plugin’s design tab are vulnerable; earlier or later releases have not been identified as impacted.

Risk and Exploitability

With a CVSS score of 4.8 the vulnerability is classified as moderate. EPSS information is not available, so the likelihood of exploitation cannot be precisely quantified. The flaw requires an authenticated user with permission to edit the design interface; once that prerequisite is met, the attacker can store a payload that will execute for every site visitor. External actors cannot exploit the flaw without first gaining admin credentials, but sites with weak or overly permissive admin accounts are at risk.

Generated by OpenCVE AI on May 13, 2026 at 17:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Products Filter plugin to the latest version that includes the XSS fix or the vendor’s patched build.
  • If an update is unavailable, restrict or delete the design‑tab text fields that accept arbitrary input and limit the design interface to a small set of trusted administrators.
  • Implement server‑side sanitization or escaping for the affected fields so that any JavaScript is stripped or encoded before storage and rendering.

Generated by OpenCVE AI on May 13, 2026 at 17:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 15 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 13 May 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Wed, 13 May 2026 15:15:00 +0000

Type Values Removed Values Added
Description WOOF Products Filter for WooCommerce 1.2.3 contains a persistent cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by entering XSS payloads in design tab textfields. Attackers can inject JavaScript code through fields like 'Text for block toggle' and 'Custom front css styles' that executes on frontend pages when saved, affecting all site visitors.
Title WOOF Products Filter for WooCommerce 1.2.3 Persistent XSS
First Time appeared Pluginus
Pluginus husky - Products Filter Professional For Woocommerce
Weaknesses CWE-79
CPEs cpe:2.3:a:pluginus:husky_-_products_filter_professional_for_woocommerce:1.2.3:*:*:*:*:*:*:*
Vendors & Products Pluginus
Pluginus husky - Products Filter Professional For Woocommerce
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Pluginus Husky - Products Filter Professional For Woocommerce
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-15T13:43:54.111Z

Reserved: 2026-02-10T17:51:52.146Z

Link: CVE-2020-37174

cve-icon Vulnrichment

Updated: 2026-05-15T13:43:37.879Z

cve-icon NVD

Status : Deferred

Published: 2026-05-13T16:16:32.880

Modified: 2026-05-13T17:07:21.030

Link: CVE-2020-37174

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T17:15:26Z

Weaknesses