CVE-2024-30462 Overview
CVE-2024-30462 is a Cross-Site Request Forgery (CSRF) vulnerability [CWE-352] affecting the realmag777 HUSKY – Products Filter Professional for WooCommerce plugin (formerly WOOF) for WordPress. The flaw impacts all versions from the initial release through 1.3.5.1. An attacker can craft a malicious request that, when triggered by an authenticated administrator, performs unauthorized actions on the affected WooCommerce site. The vulnerability requires user interaction but does not require attacker authentication, making targeted phishing of site administrators a viable attack path.
Critical Impact
Successful exploitation can compromise confidentiality, integrity, and availability of WordPress sites running HUSKY through version 1.3.5.1, with a CVSS score of 8.8.
Affected Products
- HUSKY – Products Filter Professional for WooCommerce (formerly WOOF)
- All versions from n/a through 1.3.5.1
- WordPress sites with the vulnerable plugin installed and active
Discovery Timeline
- 2024-03-29 - CVE-2024-30462 published to NVD
- 2026-04-28 - Last updated in NVD database
Technical Details for CVE-2024-30462
Vulnerability Analysis
The HUSKY plugin extends WooCommerce with advanced product filtering features. The vulnerability stems from missing or inadequate CSRF protection on one or more state-changing actions exposed by the plugin. Without a properly validated anti-CSRF token (such as a WordPress nonce), the plugin accepts requests based solely on the session cookie of the victim's authenticated browser.
An attacker hosts a malicious page or injects a crafted link into email, chat, or a third-party site. When an authenticated administrator visits the attacker-controlled content, the browser automatically issues the forged request to the WordPress site. The plugin processes the action as if the administrator initiated it, enabling configuration tampering or other privileged operations.
Because the request leverages the victim's existing session, the impact spans confidentiality, integrity, and availability of the WooCommerce store and surrounding WordPress data.
Root Cause
The root cause is missing CSRF token validation on plugin endpoints that perform sensitive actions. WordPress provides wp_nonce_field() and check_admin_referer() primitives for CSRF defense, but the affected HUSKY versions do not consistently apply these checks to the vulnerable handlers.
Attack Vector
Exploitation occurs over the network and requires the victim, typically a logged-in administrator, to interact with attacker-controlled content. The attacker delivers a forged HTML form, image tag, or JavaScript fetch directed at the WordPress admin endpoint exposed by the plugin. No prior authentication or privileges are required from the attacker. Refer to the Patchstack Vulnerability Advisory for additional technical context.
Detection Methods for CVE-2024-30462
Indicators of Compromise
- Unexpected changes to HUSKY plugin configuration or WooCommerce filter settings without a corresponding admin login event.
- HTTP POST requests to plugin admin endpoints with an external or absent Referer header.
- Administrator browser sessions accessing unfamiliar third-party URLs immediately preceding configuration changes.
Detection Strategies
- Inspect web server access logs for state-changing requests to wp-admin endpoints associated with the HUSKY plugin that lack a valid _wpnonce parameter.
- Compare WordPress option table snapshots over time to identify unauthorized modifications to plugin settings.
- Correlate admin activity with referer headers and source IP addresses to flag cross-origin request patterns.
Monitoring Recommendations
- Enable WordPress audit logging to capture plugin setting changes, user role modifications, and option updates.
- Forward web access logs and WordPress audit events to a centralized log platform for retention and search.
- Alert on administrator sessions performing privileged actions shortly after visiting non-corporate domains.
How to Mitigate CVE-2024-30462
Immediate Actions Required
- Update the HUSKY – Products Filter Professional for WooCommerce plugin to a version later than 1.3.5.1 as soon as a fixed release is available from the vendor.
- Restrict WordPress administrator accounts to dedicated browser profiles or sessions that are not used for general browsing.
- Enforce multi-factor authentication on all administrative accounts to limit downstream impact if a session is abused.
Patch Information
Review the Patchstack Vulnerability Advisory for the latest patch status and remediation guidance. If a vendor patch is not yet available, consider deactivating the plugin until a fixed version is released.
Workarounds
- Deploy a Web Application Firewall (WAF) rule that requires a valid same-origin Referer or Origin header on admin-area POST requests.
- Limit access to /wp-admin/ by source IP using web server or reverse proxy ACLs.
- Train administrators to log out of WordPress sessions when not actively performing administrative tasks.
# Example nginx configuration restricting wp-admin access by source IP
location ^~ /wp-admin/ {
allow 203.0.113.0/24; # trusted admin network
deny all;
try_files $uri $uri/ /index.php?$args;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
