CVE-2025-13109
📋 TL;DR
This vulnerability in the HUSKY – Products Filter Professional for WooCommerce WordPress plugin allows authenticated attackers with subscriber-level access or higher to manipulate saved search queries in any user's profile, including administrators. It affects all plugin versions up to 1.3.7.2 due to missing validation on user-controlled keys in the woof_add_query and woof_remove_query functions.
💻 Affected Systems
- HUSKY – Products Filter Professional for WooCommerce WordPress plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could modify administrator search queries to disrupt operations, plant malicious queries, or manipulate user preferences across the site.
Likely Case
Attackers modify saved searches of other users to cause confusion, disrupt user experience, or potentially redirect users through manipulated search results.
If Mitigated
With proper access controls and input validation, impact is limited to minor user preference manipulation within the plugin's search functionality.
🎯 Exploit Status
Exploitation requires authenticated access but is technically simple once authenticated. The vulnerability is in publicly accessible plugin functions.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.3.7.3 or later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3400527
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'HUSKY – Products Filter Professional for WooCommerce'. 4. Click 'Update Now' if available, or manually update to version 1.3.7.3+. 5. Verify update completes successfully.
🔧 Temporary Workarounds
Disable vulnerable plugin
allTemporarily deactivate the HUSKY Products Filter plugin until patched
wp plugin deactivate husky-woocommerce-product-filter-pro
Restrict user registration
allDisable new user registration to prevent attacker account creation
wp option update users_can_register 0
🧯 If You Can't Patch
- Remove plugin entirely if not essential for site functionality
- Implement web application firewall rules to block requests to woof_add_query and woof_remove_query functions
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → HUSKY – Products Filter Professional for WooCommerce → Version. If version is 1.3.7.2 or lower, system is vulnerable.Check Version:
wp plugin get husky-woocommerce-product-filter-pro --field=versionVerify Fix Applied:
Verify plugin version is 1.3.7.3 or higher in WordPress admin plugins page.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /wp-admin/admin-ajax.php with action=woof_add_query or action=woof_remove_query
- Multiple saved search modifications from single user accounts
- Search query modifications targeting administrator user IDs
Network Indicators:
- HTTP requests containing woof_add_query or woof_remove_query parameters with manipulated user_id values
SIEM Query:
source="wordpress.log" AND ("woof_add_query" OR "woof_remove_query") AND user_id!="current_user_id"