CVE-2023-40010
📋 TL;DR
This SQL injection vulnerability in the HUSKY – Products Filter for WooCommerce Professional WordPress plugin allows attackers to execute arbitrary SQL commands on affected WordPress sites. All WordPress installations using vulnerable versions of this plugin are affected, potentially compromising the entire WordPress database.
💻 Affected Systems
- HUSKY – Products Filter for WooCommerce Professional WordPress plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise leading to data theft, privilege escalation, site defacement, or full system takeover via SQL injection to RCE chaining.
Likely Case
Unauthorized data access, modification, or deletion of WooCommerce product data, customer information, and WordPress user credentials.
If Mitigated
Limited impact with proper input validation, parameterized queries, and database user privilege restrictions in place.
🎯 Exploit Status
SQL injection vulnerabilities in WordPress plugins are frequently exploited in the wild, especially when public PoCs exist.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.3.4.3 or later
Vendor Advisory: https://patchstack.com/database/vulnerability/woocommerce-products-filter/wordpress-husky-plugin-1-3-4-2-sql-injection-vulnerability
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'HUSKY – Products Filter for WooCommerce Professional'. 4. Click 'Update Now' if update available. 5. If no update appears, manually download version 1.3.4.3+ from WordPress.org and replace plugin files.
🔧 Temporary Workarounds
Disable vulnerable plugin
allTemporarily deactivate the HUSKY plugin until patched
wp plugin deactivate woocommerce-products-filter
Web Application Firewall rule
allBlock SQL injection patterns targeting the vulnerable plugin endpoints
🧯 If You Can't Patch
- Implement strict input validation and sanitization for all user inputs
- Apply principle of least privilege to database user accounts
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → HUSKY – Products Filter for WooCommerce Professional → Version numberCheck Version:
wp plugin get woocommerce-products-filter --field=versionVerify Fix Applied:
Confirm plugin version is 1.3.4.3 or higher in WordPress admin panel📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in WordPress or database logs
- Multiple failed login attempts from single IP
- Unexpected database errors
Network Indicators:
- HTTP requests with SQL injection payloads to /wp-content/plugins/woocommerce-products-filter/ endpoints
SIEM Query:
source="wordpress.log" AND "woocommerce-products-filter" AND ("SQL" OR "database error" OR "syntax error")