CVE-2025-11735 Overview
CVE-2025-11735 is a blind SQL Injection vulnerability in the HUSKY – Products Filter Professional for WooCommerce plugin for WordPress. The flaw affects all versions up to and including 1.3.7.1. The vulnerability resides in the handling of the phrase parameter, which is concatenated into a SQL query without sufficient escaping or query preparation. Unauthenticated attackers can append additional SQL statements to the existing query and extract sensitive data from the WordPress database. The issue is classified under [CWE-89] (Improper Neutralization of Special Elements used in an SQL Command).
Critical Impact
Unauthenticated remote attackers can perform blind SQL injection through the phrase parameter to exfiltrate database contents, including user credentials and customer data from WooCommerce stores.
Affected Products
- HUSKY – Products Filter Professional for WooCommerce (WordPress plugin)
- All versions up to and including 1.3.7.1
- WordPress sites running WooCommerce with this plugin installed
Discovery Timeline
- 2025-10-28 - CVE-2025-11735 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-11735
Vulnerability Analysis
The vulnerability exists in the text-based filtering extension of the HUSKY plugin, specifically within the ext/by_text_2/index.php file. The phrase parameter, supplied by users through HTTP requests, is incorporated directly into a SQL query that searches WooCommerce product data. The plugin fails to apply wpdb::prepare() or proper escaping routines before query execution.
Because the injection is blind, attackers cannot view query results directly in the HTTP response. Instead, they use boolean-based or time-based techniques to infer data one character at a time. The unauthenticated nature of the endpoint allows any visitor to issue malicious requests against affected storefronts.
Root Cause
The root cause is insufficient sanitization of the phrase parameter combined with the absence of parameterized queries. The plugin treats user input as trusted data when constructing the SQL string. This violates secure coding practices for the WordPress database abstraction layer, which provides $wpdb->prepare() precisely to prevent this class of issue.
Attack Vector
An attacker sends an HTTP request to the vulnerable filter endpoint with a crafted phrase parameter containing SQL syntax. The injected payload uses techniques such as UNION SELECT, boolean conditions, or SLEEP() calls to extract data. No authentication, user interaction, or special privileges are required. The attack is fully remote over the network.
The vulnerability manifests in the text filter handler at line 164 of ext/by_text_2/index.php. See the WordPress Plugin Code Review and Wordfence Vulnerability Report for technical details.
Detection Methods for CVE-2025-11735
Indicators of Compromise
- HTTP requests containing SQL keywords such as UNION, SELECT, SLEEP, or BENCHMARK in the phrase parameter
- Unusually long or URL-encoded values submitted to HUSKY filter endpoints
- Spikes in database query latency correlated with requests to WooCommerce filter URLs
- Unexpected outbound traffic from the web server following filter requests
Detection Strategies
- Inspect web server access logs for requests to HUSKY filter endpoints containing SQL metacharacters in the phrase parameter
- Enable WordPress query logging and review for malformed SELECT statements originating from the plugin
- Deploy Web Application Firewall (WAF) rules targeting SQL injection patterns on WooCommerce filter routes
- Correlate database error logs with HTTP request timestamps to identify probing attempts
Monitoring Recommendations
- Monitor for repeated HTTP 500 errors or anomalous response times on pages using the HUSKY filter
- Alert on outbound database connections or large result sets returned to anonymous users
- Track plugin version inventory across WordPress deployments to identify unpatched instances
How to Mitigate CVE-2025-11735
Immediate Actions Required
- Update the HUSKY – Products Filter Professional for WooCommerce plugin to a version newer than 1.3.7.1 as soon as a fixed release is available
- Disable or uninstall the plugin if a patched version is not yet available
- Review database audit logs for evidence of prior exploitation, focusing on access to wp_users and customer tables
- Rotate WordPress administrator credentials and WooCommerce API keys if compromise is suspected
Patch Information
The vendor must release a version after 1.3.7.1 that applies $wpdb->prepare() with proper placeholders to the SQL query handling the phrase parameter. Administrators should consult the Wordfence Vulnerability Report for the latest patch status and apply updates through the WordPress plugin manager.
Workarounds
- Deploy a WAF rule that blocks SQL keywords and metacharacters in the phrase query parameter on WooCommerce endpoints
- Restrict access to filter endpoints behind authentication or IP allowlisting where feasible
- Apply virtual patching through WordPress security plugins until an official fix is released
- Temporarily remove the text filter widget from public-facing pages to reduce exposure
# Example WAF rule (ModSecurity) to block SQL injection patterns in the phrase parameter
SecRule ARGS:phrase "@rx (?i)(union[\s\+]+select|sleep\s*\(|benchmark\s*\(|--|/\*|;)" \
"id:1011735,phase:2,deny,status:403,msg:'CVE-2025-11735 HUSKY SQLi attempt blocked'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
