cbcvebase.
CVE-2025-1661
published 2025-03-11

CVE-2025-1661: The HUSKY – Products Filter Professional for WooCommerce plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including…

PriorityP192critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
52.80%
98.8th percentile
The HUSKY – Products Filter Professional for WooCommerce plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.3.6.5 via the 'template' parameter of the woof_text_search AJAX action. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.

Affected

4 ranges
VendorProductVersion rangeFixed in
linuxlinux_kernel>= 0 < 6.12.606.12.60
linuxlinux_kernel>= 6.13.0 < 6.17.106.17.10
pluginushusky_products_filter_professional_for_woocommerce< 1.3.6.61.3.6.6
realmag777husky_products_filter_professional_for_woocommerce<= 1.3.6.5

Detection & IOCsextracted from sources · hover to see the quote

url/wp-admin/admin-ajax.php?template=../../../../../../../wp-config&value=a&min_symbols=1
path/wp-content/plugins/woocommerce-products-filter/
commandaction=woof_text_search
  • Detect exploitation attempts by monitoring POST requests to /wp-admin/admin-ajax.php with action=woof_text_search and a 'template' parameter containing path traversal sequences (e.g., '../').
  • The vulnerability is unauthenticated; no session cookie or authentication header is required to trigger the LFI via the AJAX endpoint.
  • ·The vulnerability affects all plugin versions up to and including 1.3.6.5; version 1.3.6.6 contains the patch. Detections should be scoped to sites running the vulnerable version range.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
vendor_redhat5.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.