CVE-2025-1661 - Vulnerability Details

- HUSKY – Products Filter Professional for WooCommerce <= 1.3.6.5 - Unauthenticated Local File Inclusion

Description

The HUSKY – Products Filter Professional for WooCommerce plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.3.6.5 via the 'template' parameter of the woof_text_search AJAX action. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.

Published: 2025-03-11

Score: 9.8 Critical

EPSS: 93.2% High

KEV: No

Impact:

Action:

Analysis

Impact

The HUSKY – Products Filter Professional for WooCommerce plugin includes a Local File Inclusion flaw in the ‘template’ parameter of the woof_text_search AJAX action. An attacker can supply a path that causes the server to read and execute any file on the file system, including files uploaded by the site owner. This allows execution of arbitrary PHP code, enabling full compromise of the site, data exfiltration, and bypassing of access controls.

Affected Systems

WordPress sites running the HUSKY – Products Filter Professional for WooCommerce plugin from realmag777 with any version up to and including 1.3.6.5 are affected. No additional products or versions are listed.

Risk and Exploitability

The CVSS score of 9.8 indicates critical severity, and the EPSS score of 93% shows a very high likelihood of exploitation. Although not yet listed in CISA KEV, the vulnerability can be exploited remotely via an unauthenticated AJAX request that sets the ‘template’ parameter. Successful exploitation allows an attacker to include any local file, such as uploaded images that contain PHP code, and thus achieve arbitrary code execution on the server.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

realmag777

HUSKY – Products Filter Professional for WooCommerce

unaffected

Version	Status	Constraints
`0`	affected	≤ 1.3.6.5

Configuration 1 [-]

cpe:2.3:a:pluginus:husky_-_products_filter_professional_for_woocommerce:*:*:*:*:*:wordpress:*:*

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the HUSKY – Products Filter Professional for WooCommerce plugin to version 1.3.6.6 or later, if available.
If an upgrade cannot be performed immediately, restrict file system permissions on upload directories and configure the server to disallow execution of files in those locations.
Apply web‑application firewall rules or server‑side input sanitization to block or neutralize the ‘template’ parameter in the woof_text_search AJAX request, preventing arbitrary file inclusion.

Generated by OpenCVE AI on April 22, 2026 at 04:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.93155.

Exploitation none

Automatable yes

Technical Impact total

References

Link	Providers
https://plugins.trac.wordpress.org/browser/woocommerce-products-filter/trunk/ext/by_text/index.php
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3249621%40woocommerce-products-filter&new=3249621%40woocommerce-products-filter&sfp_email=&sfph_mail=
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3253169%40woocommerce-products-filter&new=3253169%40woocommerce-products-filter&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/9ae7b6fc-2120-4573-8b1b-d5422d435fa5?source=cve

History

Wed, 19 Mar 2025 21:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Pluginus Pluginus husky - Products Filter Professional For Woocommerce
CPEs		cpe:2.3:a:pluginus:husky_-_products_filter_professional_for_woocommerce::::::wordpress::*
Vendors & Products		Pluginus Pluginus husky - Products Filter Professional For Woocommerce

Tue, 11 Mar 2025 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Tue, 11 Mar 2025 03:30:00 +0000

Type	Values Removed	Values Added
Description		The HUSKY – Products Filter Professional for WooCommerce plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.3.6.5 via the 'template' parameter of the woof_text_search AJAX action. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
Title		HUSKY – Products Filter Professional for WooCommerce <= 1.3.6.5 - Unauthenticated Local File Inclusion
Weaknesses		CWE-22
References		https://plugins.trac.wordpress.org/browser/woocommerce-products-filter/trunk/ext/by_text/index.php https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3249621%40woocommerce-products-filter&new=3249621%40woocommerce-products-filter&sfp_email=&sfph_mail= https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3253169%40woocommerce-products-filter&new=3253169%40woocommerce-products-filter&sfp_email=&sfph_mail= https://www.wordfence.com/threat-intel/vulnerabilities/id/9ae7b6fc-2120-4573-8b1b-d5422d435fa5?source=cve
Metrics		cvssV3_1 `{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}`

Subscriptions

Pluginus Husky - Products Filter Professional For Woocommerce

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2025-03-11T03:22:19.063Z

Updated: 2026-04-08T17:11:09.546Z

Reserved: 2025-02-24T20:19:34.034Z

Link: CVE-2025-1661

Vulnrichment

Updated: 2025-03-11T13:53:36.733Z

NVD

Status : Analyzed

Published: 2025-03-11T04:15:24.803

Modified: 2025-03-19T20:48:03.360

Link: CVE-2025-1661

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-22T04:15:07Z

Weaknesses

CWE-22

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object