CVE-2025-1661

Published Mar 11, 2025

Last updated 5 days ago

CVSS critical 9.8
WordPress

Overview

AI description

Generated using AI and has not been reviewed by Intruder. May contain errors.

CVE-2025-1661 is a local file inclusion (LFI) vulnerability affecting the HUSKY – Products Filter Professional for WooCommerce plugin for WordPress, specifically versions up to and including 1.3.6.5. The vulnerability lies within the 'template' parameter of the `woof_text_search` AJAX action. This allows unauthenticated attackers to potentially include and execute arbitrary files on the server, which could enable them to execute PHP code within those files. Exploitation of this vulnerability could allow attackers to bypass access controls, access sensitive data, and potentially achieve remote code execution, particularly if the server allows uploads of image or other seemingly harmless file types that could contain embedded malicious code. As of March 11, 2025, there is no publicly available proof-of-concept exploit, nor is there evidence of active exploitation. However, technical details about the vulnerability are known.

Description
The HUSKY – Products Filter Professional for WooCommerce plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.3.6.5 via the 'template' parameter of the woof_text_search AJAX action. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
Source
security@wordfence.com
NVD status
Received

Risk scores

CVSS 3.1

Type
Primary
Base score
9.8
Impact score
5.9
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity
CRITICAL

Weaknesses

security@wordfence.com
CWE-22

Social media

Hype score
Not currently trending

  1. Una vulnerabilidad crítica expone más de 100.000 sitios con el plugin de WordPress para WooCommerce ➡️ HUSKY – WooCommerce Products Filter Professional - WOOF ⚠️ CVE-2025-1661 permite LFI (Local File Inclusion) https://t.co/8n8PKVZqF0… https://t.co/VaoT5lv6fD

    @doncaptador

    12 Mar 2025

    22 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. Una vulnerabilidad crítica expone más de 100.000 sitios con el plugin de WordPress para WooCommerce ➡️ HUSKY – WooCommerce Products Filter Professional - WOOF ⚠️ CVE-2025-1661 permite LFI (Local File Inclusion) https://t.co/FPb57iq38p https://t.co/mz7LjVSHN0

    @elhackernet

    12 Mar 2025

    11605 Impressions

    66 Retweets

    167 Likes

    37 Bookmarks

    1 Reply

    3 Quotes

  3. Follow @zoomeye_team & Get 7-Day Membership! 🚨ALERT: CVE-2025-1661 (CVSS 9.8)🚨 WooCommerce sites are UNDER ATTACK! Unauthenticated file inclusion vuln could let hackers run any file on your server. Think data theft, site defacement, or TOTAL TAKEOVER. ZoomEye… https://

    @zoomeye_team

    12 Mar 2025

    1626 Impressions

    7 Retweets

    22 Likes

    11 Bookmarks

    1 Reply

    1 Quote

  4. #VulnAlert 🚨 CVE-2025-1661 (9.8) - Path Traversal en el plugin HUSKY para WordPress 🔥 Permite ejecutar archivos arbitrarios en el servidor, incluyendo PHP. Dork: http.body:"plugins/woocommerce-products-filter" Más información: https://t.co/xLv2YMAGL1

    @Cyph3R_CyberSec

    12 Mar 2025

    43 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. Critical Flaw Exposes 100,000+ WooCommerce Sites: Unauthenticated File Inclusion Threatens Total Takeover Learn about CVE-2025-1661, a critical vulnerability in the HUSKY plugin that puts over 100,000 WordPress stores at risk. https://t.co/JegZp2k9S5

    @the_yellow_fall

    12 Mar 2025

    466 Impressions

    3 Retweets

    9 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  6. 🚨 CVE-2025-1661 ⚠️🔴 CRITICAL (9.8) 🏢 realmag777 - HUSKY – Products Filter Professional for WooCommerce 🏗️ * 🔗 https://t.co/sjnxOtwS25 🔗 https://t.co/QsRO24E2GS 🔗 https://t.co/pzWRAxkarG 🔗 https://t.co/VE7MdwTpBe #CyberCron #VulnAlert #InfoSec https://t.co/49EwXTwD4x

    @cybercronai

    11 Mar 2025

    3 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  7. �� CVE-2025-1661 - WordPress - HIGH 🚨 🗓️ Date published 2025-03-11 04:15:24 UTC #WordPress #CyberSecurity #InfoSec #Vulnerability #TechNews https://t.co/Ux4ycb0r3L

    @vulns_space

    11 Mar 2025

    4 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  8. CVE-2025-1661 The HUSKY – Products Filter Professional for WooCommerce plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.3.6.5 via th… https://t.co/I6QUs6LSR1

    @CVEnew

    11 Mar 2025

    612 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  9. [CVE-2025-1661: CRITICAL] Vulnerability in HUSKY - Products Filter Professional for WooCommerce WordPress plugin (up to v1.3.6.5) allows unauthenticated attackers to execute arbitrary files, potentially compromisi...#cybersecurity,#vulnerability https://t.co/p9nAC0W76x https://t.

    @CveFindCom

    11 Mar 2025

    40 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

References