Cyber Resilience

CVE-2025-1661

Critical

Published: 11 March 2025

Published
11 March 2025
Modified
19 March 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9315 99.8th percentile
Risk Priority 75 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-1661 is a critical-severity Path Traversal (CWE-22) vulnerability in Pluginus Husky - Products Filter Professional For Woocommerce. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

The HUSKY – Products Filter Professional for WooCommerce plugin for WordPress is vulnerable to local file inclusion in all versions through 1.3.6.5. The flaw exists in the woof_text_search AJAX action, where the template parameter accepts an arbitrary path that is passed to PHP include operations without sufficient validation or sanitization.

Unauthenticated attackers can supply a crafted template value to include and execute any file readable by the web server process. Successful exploitation grants the ability to bypass access controls, read sensitive data, or obtain remote code execution when an attacker can first upload a file containing PHP code, such as certain image or other permitted file types.

The referenced Wordfence advisory and WordPress plugin changeset entries document the issue and the availability of updated plugin versions that address the parameter handling. The EPSS score stands at 0.9315 with no indicated rise from a lower baseline after disclosure.

EU & UK References

Vulnerability details

The HUSKY – Products Filter Professional for WooCommerce plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.3.6.5 via the 'template' parameter of the woof_text_search AJAX action. This makes it possible for unauthenticated…

more

attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

LFI vulnerability in public-facing WordPress plugin enables remote unauthenticated RCE via arbitrary PHP file inclusion/execution, directly mapping to T1190 for initial exploitation and T1100 for web shell-style code execution (including via uploaded payloads).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2024-13545Same product class: WordPress / CMS plugin
CVE-2025-7360Same product class: WordPress / CMS plugin
CVE-2025-2328Same product class: WordPress / CMS plugin
CVE-2024-13359Same product class: WordPress / CMS plugin
CVE-2024-8425Same product class: WordPress / CMS plugin
CVE-2025-7340Same product class: WordPress / CMS plugin
CVE-2025-24605Same vendor: Pluginus
CVE-2025-22786Same product class: WordPress / CMS plugin
CVE-2026-33529Shared CWE-22
CVE-2026-9550Shared CWE-22

Affected Assets

pluginus
husky - products filter professional for woocommerce
≤ 1.3.6.6

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Patching the HUSKY Products Filter Professional plugin to versions beyond 1.3.6.5 directly remediates the LFI vulnerability in the woof_text_search AJAX action.

prevent

Validating the 'template' parameter at input points prevents path traversal and arbitrary file inclusion leading to PHP code execution.

preventdetect

Boundary protection mechanisms like web application firewalls monitor and block malicious requests exploiting the unauthenticated LFI via the 'template' parameter.

References