The HUSKY – Products Filter Professional for WooCommerce plugin contains an Insecure Direct Object Reference vulnerability in the woof_add_subscr function, which lacks proper validation on a user‑controlled key. This flaw allows attackers who are authenticated with subscriber level privileges or higher to create product messenger subscriptions on behalf of any WordPress user, including administrators. The resulting impact is unauthorized modification of subscription data.

All versions of the HUSKY – Products Filter Professional for WooCommerce plugin up to and including 1.3.7.3 are affected. The vulnerability applies to WordPress sites that have installed any of those plugin releases and rely on the woof_add_subscr endpoint. Upgrading the plugin to a version newer than 1.3.7.3 removes the missing validation and fixes the problematic endpoint. The vulnerability is not tied to specific WordPress core versions, but to any supported WordPress installation running the affected plugin versions.

The CVSS v3.1 score of 4.3 indicates a moderate severity, and the EPSS < 1% reflects a very low probability of exploitation in the wild. The flaw is not listed in the CISA KEV catalog, further suggesting it has not yet been widely leveraged by threat actors. However, because the exploit requires authenticated access at the subscriber level, users with moderate or higher privileges are at risk. If a privileged user is compromised or able to articulate a subscription request, attackers can create subscriptions for other users, leading to unauthorized subscription activities. The overall risk is modest but non‑negligible for sites that rely on subscription data for marketing or communication.