A severe vulnerability has been discovered in the popular WordPress plugin “HUSKY – WooCommerce Products Filter Professional,” formerly known as WOOF, leaving over 100,000 online stores at risk of complete compromise. The flaw, tracked as CVE-2025-1661 with a critical CVSS score of 9.8, allows unauthenticated attackers to execute arbitrary files on affected servers, potentially leading to data breaches, site defacement, and full system control.
The vulnerable plugin, designed to enhance WooCommerce product filtering, suffers from a Local File Inclusion (LFI) vulnerability in versions up to and including 1.3.6.5. This critical flaw resides within the ‘template’ parameter of the ‘woof_text_search’ AJAX action, effectively allowing malicious actors to inject and execute any PHP code present on the server.
“This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files,” warns the official vulnerability disclosure. This means that even without logging in, an attacker could exploit the flaw to access sensitive information, bypass security measures, and even execute malicious code.
The potential impact of CVE-2025-1661 is significant. Attackers could leverage this flaw to:
- Steal sensitive customer data: Including names, addresses, payment information, and order histories.
- Inject malicious code: Leading to site defacement, redirection to phishing sites, or the installation of backdoors for persistent access.
- Gain complete server control: In cases where attackers can upload and include “safe” file types, such as images, that contain embedded malicious code.
Security researcher Hiroho Shimada is credited with discovering and reporting this critical vulnerability.
The sheer number of affected websites, with over 100,000 active installations, amplifies the urgency of patching this flaw. Online store owners are strongly advised to immediately update their HUSKY plugin to version 1.3.6.6, which includes a fix for the vulnerability.
