CVE-2025-1661
published 2025-03-11CVE-2025-1661: The HUSKY – Products Filter Professional for WooCommerce plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including…
PriorityP192critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
52.80%
98.8th percentile
The HUSKY – Products Filter Professional for WooCommerce plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.3.6.5 via the 'template' parameter of the woof_text_search AJAX action. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| linux | linux_kernel | >= 0 < 6.12.60 | 6.12.60 |
| linux | linux_kernel | >= 6.13.0 < 6.17.10 | 6.17.10 |
| pluginus | husky_products_filter_professional_for_woocommerce | < 1.3.6.6 | 1.3.6.6 |
| realmag777 | husky_products_filter_professional_for_woocommerce | <= 1.3.6.5 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect exploitation attempts by monitoring POST requests to /wp-admin/admin-ajax.php with action=woof_text_search and a 'template' parameter containing path traversal sequences (e.g., '../'). ↗
- →The vulnerability is unauthenticated; no session cookie or authentication header is required to trigger the LFI via the AJAX endpoint. ↗
- ·The vulnerability affects all plugin versions up to and including 1.3.6.5; version 1.3.6.6 contains the patch. Detections should be scoped to sites running the vulnerable version range. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
vendor_redhat5.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
idpf: fix possible vport_config NULL pointer deref in remove
osv·2025-12-16
CVE-2025-68213 idpf: fix possible vport_config NULL pointer deref in remove
idpf: fix possible vport_config NULL pointer deref in remove
In the Linux kernel, the following vulnerability has been resolved:
idpf: fix possible vport_config NULL pointer deref in remove
Attempting to remove the driver will cause a crash in cases where
the vport failed to initialize. Following trace is from an instance where
the driver failed during an attempt to create a VF:
[ 1661.543624] idpf 0000:84:00.7: Device HW Reset initiated
[ 1722.923726] idpf 0000:84:00.7: Transaction timed-out (op:1 cookie:2900 vc_op:1 salt:29 timeout:60000ms)
[ 1723.353263] BUG: kernel NULL pointer dereference, address: 0000000000000028
...
[ 1723.358472] RIP: 0010:idpf_remove+0x11c/0x200 [idpf]
...
[ 1723.364973] Call Trace:
[ 1723.365475]
[ 1723.365972] pci_device_remove+0x42/0xb0
[ 1723.366481] devic
GHSA
GHSA-fhhw-63w7-9jg7: The HUSKY – Products Filter Professional for WooCommerce plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and includi
ghsa_unreviewed·2025-03-11
CVE-2025-1661 [CRITICAL] CWE-22 GHSA-fhhw-63w7-9jg7: The HUSKY – Products Filter Professional for WooCommerce plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and includi
The HUSKY – Products Filter Professional for WooCommerce plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.3.6.5 via the 'template' parameter of the woof_text_search AJAX action. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
VulnCheck
pluginus husky_-_products_filter_professional_for_woocommerce Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
vulncheck·2025·CVSS 9.8
CVE-2025-1661 [CRITICAL] pluginus husky_-_products_filter_professional_for_woocommerce Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
pluginus husky_-_products_filter_professional_for_woocommerce Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
The HUSKY – Products Filter Professional for WooCommerce plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.3.6.5 via the 'template' parameter of the woof_text_search AJAX action. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
Affected: pluginus husky_-_products_filter_professional_for_woocommerce
Required Action: Appl
Red Hat
kernel: idpf: fix possible vport_config NULL pointer deref in remove
vendor_redhat·2025-12-16·CVSS 5.5
CVE-2025-68213 [MEDIUM] CWE-476 kernel: idpf: fix possible vport_config NULL pointer deref in remove
kernel: idpf: fix possible vport_config NULL pointer deref in remove
In the Linux kernel, the following vulnerability has been resolved:
idpf: fix possible vport_config NULL pointer deref in remove
Attempting to remove the driver will cause a crash in cases where
the vport failed to initialize. Following trace is from an instance where
the driver failed during an attempt to create a VF:
[ 1661.543624] idpf 0000:84:00.7: Device HW Reset initiated
[ 1722.923726] idpf 0000:84:00.7: Transaction timed-out (op:1 cookie:2900 vc_op:1 salt:29 timeout:60000ms)
[ 1723.353263] BUG: kernel NULL pointer dereference, address: 0000000000000028
...
[ 1723.358472] RIP: 0010:idpf_remove+0x11c/0x200 [idpf]
...
[ 1723.364973] Call Trace:
[ 1723.365475]
[ 1723.365972] pci_device_remove+0x42/0xb0
[ 1723.366481]
No detection rules found.
Nuclei
HUSKY – Products Filter Professional for WooCommerce <= 1.3.6.5 - Unauthenticated Local File Inclusion
nuclei·CVSS 9.8
CVE-2025-1661 [CRITICAL] HUSKY – Products Filter Professional for WooCommerce <= 1.3.6.5 - Unauthenticated Local File Inclusion
HUSKY – Products Filter Professional for WooCommerce <= 1.3.6.5 - Unauthenticated Local File Inclusion
The HUSKY – Products Filter Professional for WooCommerce plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.3.6.5 via the 'template' parameter of the woof_text_search AJAX action. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
Template:
id: CVE-2025-1661
info:
name: HUSKY – Products Filter Professional for WooCommerce <= 1.3.6.5 - Unauthenticated Local Fi
https://plugins.trac.wordpress.org/browser/woocommerce-products-filter/trunk/ext/by_text/index.phphttps://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3249621%40woocommerce-products-filter&new=3249621%40woocommerce-products-filter&sfp_email=&sfph_mail=https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3253169%40woocommerce-products-filter&new=3253169%40woocommerce-products-filter&sfp_email=&sfph_mail=https://www.wordfence.com/threat-intel/vulnerabilities/id/9ae7b6fc-2120-4573-8b1b-d5422d435fa5?source=cve
2025-03-11
Published
Exploited in the wild