CVE CyberSecurity Database News

CVE-2025-1661 - Dangerous Local File Inclusion in HUSKY – Products Filter Professional for WooCommerce (WordPress) Explained

Poster -

If you’re running a WooCommerce shop on WordPress and use the popular HUSKY – Products Filter Professional plugin, you must read this. There's a new vulnerability, CVE-2025-1661, that affects _all plugin versions up to and including 1.3.6.5_. This post will walk you through what it is, how it works, how attackers can exploit it — with simple code snippets — and what you can do about it.

What is CVE-2025-1661?

CVE-2025-1661 is a Local File Inclusion (LFI) vulnerability. It exists in the "HUSKY – Products Filter Professional for WooCommerce" plugin on WordPress. The flaw is due to improper handling of the template parameter, specifically in the woof_text_search AJAX action.

What does this mean?
It means hackers can trick your plugin into loading and running files from your server — including files they upload. That’s how they can run PHP code and do almost anything on your website: get database credentials, run arbitrary commands, or deface your shop.

Official references

- Wordfence advisory & POC
- WPScan Vulnerability Database entry
- NVD details page

The Issue: Unchecked File Paths

The plugin processes AJAX requests for text search. The user can set the template parameter — but there’s no proper sanitization. An attacker can use this to make the plugin load any file from the server, as long as the path is readable by the web server.

Vulnerable Code Snippet

Although the actual plugin code is minified/obfuscated, here's a simplified version of what goes wrong:

if (isset($_POST['template'])) {
    $template = $_POST['template'];
    include($template . '.php');   // ⚠️ DANGEROUS: No path validation!
}

With no filtering, if you pass ../../wp-config as a template, it will try to include ../../wp-config.php.

Attackers can send a crafted AJAX request to the vulnerable action. For example

curl -X POST \
  -d 'action=woof_text_search&template=../../wp-config' \
  https://your-store.com/wp-admin/admin-ajax.php

If the server is set to display PHP errors, the output might include your database username and password — directly from your wp-config.php!

2. Achieve Remote Code Execution

What if your site allows users to upload images? Attackers can upload a PHP shell disguised as a .jpg file. Then, by including that file using this vulnerability, PHP code runs on your server.

Example

curl -X POST \
  -d 'action=woof_text_search&template=../../uploads/malicious_shell.jpg' \
  https://your-store.com/wp-admin/admin-ajax.php

Now, /uploads/malicious_shell.jpg runs as PHP. The attacker can do anything:

3. Authentication Bypass

Because this flaw is _unauthenticated_, anyone — not just admins — can exploit it. Your whole store is at risk.

How to Protect Your Site

1. Update Immediately.
As of writing, the latest vulnerable version is 1.3.6.5. Upgrade to a patched version as soon as it’s available from the plugin’s official page.

2. Block the Exploited AJAX Calls.
If an upgrade isn’t possible, temporarily block requests calling the woof_text_search action, especially from unauthenticated users.

3. Harden File Uploads.
Don’t allow arbitrary files to be uploaded — especially not PHP. Use WordPress’ built-in restrictions and further lock down your /uploads directory.

4. Check for Suspicious Files.
Scan your wp-content/uploads directory for any unexpected PHP files.

Summary Table

| What | Detail |
|------|--------------------------------------------|
| Affected Plugin | HUSKY – Products Filter Professional for WooCommerce |
| Affected Versions | ≤ 1.3.6.5 |
| Attack Type | Local File Inclusion (LFI) |
| Risk | Data leak, code execution, full site compromise |
| Patch | Update ASAP — watch for an official fix |

Conclusion

This Local File Inclusion vulnerability, CVE-2025-1661, puts WooCommerce stores at serious risk. It doesn’t require any login, and lets hackers execute pretty much any PHP file on your server. The best fix: update now, lock down your uploads, and be vigilant.

For more info and updates, check the following

- Wordfence CVE-2025-1661 Writeup
- WPScan CVE-2025-1661
- HUSKY Plugins on WordPress.org

Stay safe! Update your plugins and watch for more security news. If you found this helpful, share it with other WooCommerce users.


> *This article is exclusive to you, and written in plain language so every store owner can understand the risks. If you have questions, leave a comment below or contact your website administrator right away.*

Timeline

Published on: 03/11/2025 04:15:24 UTC
Last modified on: 03/19/2025 20:48:03 UTC