CVE-2025-1661
Published: 11 March 2025
Summary
CVE-2025-1661 is a critical-severity Path Traversal (CWE-22) vulnerability in Pluginus Husky - Products Filter Professional For Woocommerce. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
The HUSKY – Products Filter Professional for WooCommerce plugin for WordPress is vulnerable to local file inclusion in all versions through 1.3.6.5. The flaw exists in the woof_text_search AJAX action, where the template parameter accepts an arbitrary path that is passed to PHP include operations without sufficient validation or sanitization.
Unauthenticated attackers can supply a crafted template value to include and execute any file readable by the web server process. Successful exploitation grants the ability to bypass access controls, read sensitive data, or obtain remote code execution when an attacker can first upload a file containing PHP code, such as certain image or other permitted file types.
The referenced Wordfence advisory and WordPress plugin changeset entries document the issue and the availability of updated plugin versions that address the parameter handling. The EPSS score stands at 0.9315 with no indicated rise from a lower baseline after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-7408
Vulnerability details
The HUSKY – Products Filter Professional for WooCommerce plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.3.6.5 via the 'template' parameter of the woof_text_search AJAX action. This makes it possible for unauthenticated…
more
attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
LFI vulnerability in public-facing WordPress plugin enables remote unauthenticated RCE via arbitrary PHP file inclusion/execution, directly mapping to T1190 for initial exploitation and T1100 for web shell-style code execution (including via uploaded payloads).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Patching the HUSKY Products Filter Professional plugin to versions beyond 1.3.6.5 directly remediates the LFI vulnerability in the woof_text_search AJAX action.
Validating the 'template' parameter at input points prevents path traversal and arbitrary file inclusion leading to PHP code execution.
Boundary protection mechanisms like web application firewalls monitor and block malicious requests exploiting the unauthenticated LFI via the 'template' parameter.