CVE-2025-1661
📋 TL;DR
This vulnerability allows unauthenticated attackers to perform Local File Inclusion (LFI) via the 'template' parameter in the HUSKY plugin for WordPress. Attackers can include and execute arbitrary PHP files on the server, potentially leading to remote code execution, data theft, and access control bypass. All WordPress sites using vulnerable versions of the HUSKY – Products Filter Professional for WooCommerce plugin are affected.
💻 Affected Systems
- HUSKY – Products Filter Professional for WooCommerce WordPress plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise leading to data exfiltration, ransomware deployment, or persistent backdoor installation.
Likely Case
Unauthenticated attackers achieve remote code execution, install web shells, steal sensitive data, or deface websites.
If Mitigated
Attack limited to file inclusion without code execution if PHP execution is restricted for included files.
🎯 Exploit Status
Simple HTTP request with crafted template parameter. Exploit code is publicly available in security advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.3.6.6
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'HUSKY – Products Filter Professional for WooCommerce'. 4. Click 'Update Now' if update available. 5. Alternatively, download version 1.3.6.6+ from WordPress plugin repository and manually update.
🔧 Temporary Workarounds
Disable vulnerable AJAX endpoint
allTemporarily disable the woof_text_search AJAX action via WordPress hooks
Add to theme's functions.php or custom plugin: remove_action('wp_ajax_woof_text_search', 'woof_text_search_callback'); remove_action('wp_ajax_nopriv_woof_text_search', 'woof_text_search_callback');
Web Application Firewall rule
allBlock requests containing malicious template parameter patterns
WAF rule to block: template parameter containing path traversal sequences (../) or PHP file extensions
🧯 If You Can't Patch
- Disable or remove the HUSKY plugin entirely
- Implement strict file upload restrictions and disable PHP execution in upload directories
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → HUSKY plugin version. If version ≤1.3.6.5, vulnerable.Check Version:
wp plugin list --name='husky' --field=version (if WP-CLI installed)Verify Fix Applied:
Confirm plugin version is 1.3.6.6 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- HTTP requests to /wp-admin/admin-ajax.php with action=woof_text_search containing template parameter with path traversal (../) or .php extensions
- Unusual file inclusion attempts in web server logs
Network Indicators:
- POST requests to admin-ajax.php with suspicious template parameter values
- Unexpected PHP file execution from non-standard locations
SIEM Query:
source="web_access.log" AND uri="/wp-admin/admin-ajax.php" AND query="*action=woof_text_search*" AND (query="*template=*../*" OR query="*template=*.php*")🔗 References
- https://plugins.trac.wordpress.org/browser/woocommerce-products-filter/trunk/ext/by_text/index.php
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3249621%40woocommerce-products-filter&new=3249621%40woocommerce-products-filter&sfp_email=&sfph_mail=
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3253169%40woocommerce-products-filter&new=3253169%40woocommerce-products-filter&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/9ae7b6fc-2120-4573-8b1b-d5422d435fa5?source=cve
