CVE-2025-1661
Published: 11 March 2025
Summary
CVE-2025-1661 is a critical-severity Path Traversal (CWE-22) vulnerability in Pluginus Husky - Products Filter Professional For Woocommerce. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Patching the HUSKY Products Filter Professional plugin to versions beyond 1.3.6.5 directly remediates the LFI vulnerability in the woof_text_search AJAX action.
Validating the 'template' parameter at input points prevents path traversal and arbitrary file inclusion leading to PHP code execution.
Boundary protection mechanisms like web application firewalls monitor and block malicious requests exploiting the unauthenticated LFI via the 'template' parameter.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
LFI vulnerability in public-facing WordPress plugin enables remote unauthenticated RCE via arbitrary PHP file inclusion/execution, directly mapping to T1190 for initial exploitation and T1100 for web shell-style code execution (including via uploaded payloads).
NVD Description
The HUSKY – Products Filter Professional for WooCommerce plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.3.6.5 via the 'template' parameter of the woof_text_search AJAX action. This makes it possible for unauthenticated…
more
attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
Deeper analysisAI
CVE-2025-1661, published on 2025-03-11, is a Local File Inclusion vulnerability (CWE-22) in the HUSKY – Products Filter Professional for WooCommerce plugin for WordPress, affecting all versions up to and including 1.3.6.5. The issue arises via the 'template' parameter in the woof_text_search AJAX action, which allows inclusion and execution of arbitrary files on the server, including any PHP code within those files.
Unauthenticated attackers can exploit this vulnerability remotely with low attack complexity and no user interaction or privileges required, earning it a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). Exploitation enables attackers to execute arbitrary PHP code, bypass access controls, obtain sensitive data, or achieve code execution by uploading and including "safe" file types like images that contain PHP payloads.
Wordfence provides details on the vulnerability in its threat intelligence advisory. Patches addressing the issue appear in WordPress plugin trac changesets 3249621 and 3253169 for the woocommerce-products-filter repository, with related source code in the ext/by_text/index.php file. Security practitioners should update the plugin to mitigate exposure.
Details
- CWE(s)