This is a summary of the AI-generated 10-question deep analysis. The full version (longer answers, follow-up Q&A, related CVEs) requires login. Read the full analysis β
Q1What is this vulnerability? (Essence + Consequences)
π¨ **Essence**: Unauthenticated Local File Inclusion (LFI) via `template` param in `woof_text_search` AJAX action.β¦
π‘οΈ **Root Cause**: CWE-22 (Path Traversal). The plugin fails to sanitize the `template` parameter, allowing directory traversal sequences (`../`) to access files outside the intended directory.
Q3Who is affected? (Versions/Components)
π¦ **Affected**: WordPress Plugin **HUSKY β Products Filter Professional for WooCommerce**. π **Versions**: **1.3.6.5 and earlier**. Vendor: **realmag777**.
Q4What can hackers do? (Privileges/Data)
π **Attacker Capabilities**: Unauthenticated users can include & execute arbitrary PHP files. π **Impact**: Full server compromise, data exfiltration, and bypassing security controls. CVSS Score is **Critical (9.8)**.
Q5Is exploitation threshold high? (Auth/Config)
β‘ **Threshold**: **LOW**. No authentication (PR:N) or user interaction (UI:N) required. Exploitation is remote and straightforward (AV:N, AC:L).
Q6Is there a public Exp? (PoC/Wild Exploitation)
π **Public Exploits**: **YES**. Multiple PoCs are available on GitHub (e.g., gbrsh, MuhammadWaseem29) and Nuclei templates. Wild exploitation is highly likely.
Q7How to self-check? (Features/Scanning)
π **Self-Check**: Scan for the plugin version < 1.3.6.6. Use Nuclei templates for CVE-2025-1661. Check if `woof_text_search` AJAX endpoint accepts unsanitized `template` parameters.
π§ **No Patch?**: Disable the plugin immediately. If essential, restrict access to `wp-admin` and use a WAF to block `../` sequences in AJAX requests. Monitor logs for LFI attempts.
Q10Is it urgent? (Priority Suggestion)
π₯ **Urgency**: **CRITICAL**. CVSS 9.8 + Public PoCs + Unauthenticated. Patch immediately to prevent server takeover. Do not delay!