Description
The HUSKY – Products Filter Professional for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.3.7.2 via the "woof_add_query" and "woof_remove_query" functions due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with subscriber level access and above, to insert or remove arbitrary saved search queries into any user's profile, including administrators.
Published: 2025-12-03
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized modification of user saved search queries, potentially enabling compromised administrators
Action: Patch Immediately
AI Analysis

Impact

An Insecure Direct Object Reference vulnerability in the HUSKY – Products Filter Professional for WooCommerce plugin allows an authenticated user with subscriber permissions to add or delete arbitrary saved search queries for any user, including administrators. This flaw arises from missing validation on user‐controlled keys within the woof_add_query and woof_remove_query functions, permitting attackers to alter other users’ saved search configurations and potentially expose or manipulate data that is queried on the front end.

Affected Systems

The affected software is the HUSKY – Products Filter Professional for WooCommerce plugin for WordPress, released by realmag777. Versions up to and including 1.3.7.2 are vulnerable.

Risk and Exploitability

The CVSS score is 4.3 and the EPSS score is below 1%, and the issue is not listed in the CISA KEV catalog. The attack vector is inferred to be within the WordPress administration interface or plugin API calls, requiring authenticated access with a subscriber role or higher. While the likelihood of exploitation is low, the vulnerability allows an attacker to modify another user’s saved queries, which could lead to unintended data exposure or site presentation changes. Mitigating the risk involves limiting subscriber privileges or disabling the plugin until a patch is applied.

Generated by OpenCVE AI on April 21, 2026 at 17:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the HUSKY – Products Filter Professional for WooCommerce plugin to the latest released version (at least 1.3.7.3) following the patch committed in the referenced changeset.
  • If an immediate update cannot be performed, temporarily disable the HUSKY plugin or remove the woof_add_query and woof_remove_query functions until a fix is available.
  • Review the roles of all subscriber accounts on the site, restrict unnecessary subscriber privileges, and consider enforcing two‑factor authentication for elevated roles.

Generated by OpenCVE AI on April 21, 2026 at 17:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 04 Dec 2025 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Realmag777
Realmag777 huskys Products Filter Professional For Woocommerce
Wordpress
Wordpress wordpress
Vendors & Products Realmag777
Realmag777 huskys Products Filter Professional For Woocommerce
Wordpress
Wordpress wordpress

Wed, 03 Dec 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 03 Dec 2025 12:45:00 +0000

Type Values Removed Values Added
Description The HUSKY – Products Filter Professional for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.3.7.2 via the "woof_add_query" and "woof_remove_query" functions due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with subscriber level access and above, to insert or remove arbitrary saved search queries into any user's profile, including administrators.
Title HUSKY – Products Filter Professional for WooCommerce <= 1.3.7.2 - Authenticated (Subscriber+) Insecure Direct Object Reference via 'woof_add_query/woof_remove_query'
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Realmag777 Huskys Products Filter Professional For Woocommerce
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:11:53.390Z

Reserved: 2025-11-12T23:36:07.758Z

Link: CVE-2025-13109

cve-icon Vulnrichment

Updated: 2025-12-03T13:56:15.454Z

cve-icon NVD

Status : Deferred

Published: 2025-12-03T13:16:01.807

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-13109

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T18:00:11Z

Weaknesses