CVE-2024-6457 (CVSS 9.8): Critical Flaw in HUSKY Plugin Threatens 100K+ WooCommerce Stores

A critical vulnerability has been discovered in the widely-used WordPress plugin, HUSKY – Products Filter Professional for WooCommerce. This security flaw, tracked as CVE-2024-6457 with a CVSS score of 9.8 (Critical), leaves over 100,000 WooCommerce-powered online stores susceptible to unauthorized data breaches.

The vulnerability stems from insufficient sanitization of user-supplied input in the ‘woof_author’ parameter, allowing malicious actors to inject rogue SQL queries into the plugin’s database interactions. This type of attack, known as SQL Injection, can be exploited by attackers to extract sensitive information, modify data, or even gain complete control over the underlying database.

The potential consequences of this vulnerability are severe. Attackers could steal customer data, including personally identifiable information (PII), payment card details, and login credentials. They could also tamper with product information, deface websites, or disrupt online store operations.

Any online store using HUSKY – Products Filter Professional for WooCommerce, versions 1.3.6 and below, is at immediate risk. Given the plugin’s popularity and extensive user base, this vulnerability poses a significant threat to a large portion of the WooCommerce ecosystem.

The developers of HUSKY have promptly released a patched version, 1.3.6.1, to address the CVE-2024-6457 vulnerability. All store owners are strongly urged to update to this version or a newer patched release as soon as possible.