CVE-2025-1661: WooCommerce HUSKY Filter RCE Vulnerability

CVE-2025-1661 Overview

CVE-2025-1661 is a critical Local File Inclusion (LFI) vulnerability affecting the HUSKY – Products Filter Professional for WooCommerce plugin for WordPress. The vulnerability exists in all versions up to and including 1.3.6.5 and allows unauthenticated attackers to include and execute arbitrary files on the server through the template parameter of the woof_text_search AJAX action.

This vulnerability enables attackers to execute arbitrary PHP code on vulnerable WordPress installations, potentially leading to complete site compromise. Because the attack requires no authentication, any WordPress site running the affected plugin versions is at immediate risk.

Critical Impact
Unauthenticated attackers can achieve remote code execution by exploiting Local File Inclusion in the HUSKY plugin, enabling access control bypass, sensitive data theft, and full server compromise.

Affected Products

HUSKY – Products Filter Professional for WooCommerce versions ≤ 1.3.6.5
WordPress installations running the vulnerable plugin
WooCommerce-based e-commerce sites using HUSKY for product filtering

Discovery Timeline

2025-03-11 - CVE-2025-1661 published to NVD
2025-03-19 - Last updated in NVD database

Technical Details for CVE-2025-1661

Vulnerability Analysis

This Local File Inclusion vulnerability stems from improper input validation in the woof_text_search AJAX action handler. The template parameter accepts user-controlled input that is directly used in a file inclusion operation without adequate sanitization or path restriction.

The vulnerability is classified under CWE-22 (Path Traversal), indicating the application fails to properly neutralize special elements within a pathname. Attackers can leverage path traversal sequences to escape intended directories and include arbitrary files from the server filesystem.

What makes this vulnerability particularly dangerous is its accessibility—the affected AJAX endpoint is available to unauthenticated users. This means attackers do not need any WordPress credentials to exploit the vulnerability. Combined with the ability to execute PHP code in included files, this creates a direct path to remote code execution.

Root Cause

The root cause is insufficient input validation on the template parameter within the woof_text_search AJAX handler. The vulnerable code located in the plugin's text search extension (ext/by_text/index.php) fails to:

Validate that the requested template file exists within expected directories
Sanitize path traversal sequences (e.g., ../) from user input
Restrict file inclusion to a whitelist of allowed template files
Verify file extensions before inclusion

Attack Vector

The attack is network-based and requires no authentication or user interaction. An attacker can exploit this vulnerability by:

Sending a crafted HTTP request to the WordPress AJAX handler (wp-admin/admin-ajax.php)
Specifying the woof_text_search action
Manipulating the template parameter with path traversal sequences to reference arbitrary files
Achieving code execution when PHP files are included, or extracting sensitive data from configuration files

The vulnerability can be chained with file upload functionality—if attackers can upload files disguised as images or other "safe" file types containing PHP code, they can then include those files via this LFI vulnerability to achieve code execution.

For technical details on the vulnerable code, see the WordPress Plugin Code Index and the Wordfence Vulnerability Report.

Detection Methods for CVE-2025-1661

Indicators of Compromise

Unusual HTTP POST requests to wp-admin/admin-ajax.php with action woof_text_search containing path traversal patterns (../)
Web server access logs showing requests with encoded path traversal sequences (%2e%2e%2f)
Unexpected file access patterns in PHP file inclusion logs
New or modified files in upload directories with PHP code embedded in image files

Detection Strategies

Monitor AJAX requests for the woof_text_search action with suspicious template parameter values
Implement Web Application Firewall (WAF) rules to detect and block path traversal attempts
Review WordPress error logs for failed file inclusion attempts indicating reconnaissance activity
Deploy endpoint detection solutions to identify unusual file access patterns by the web server process

Monitoring Recommendations

Enable verbose logging for WordPress AJAX handlers to capture full request parameters
Configure real-time alerting for path traversal pattern detection in web server logs
Monitor for unexpected PHP file creation or modification in the WordPress uploads directory
Implement file integrity monitoring on critical WordPress and plugin directories

How to Mitigate CVE-2025-1661

Immediate Actions Required

Update HUSKY – Products Filter Professional for WooCommerce plugin to a version newer than 1.3.6.5 immediately
If immediate update is not possible, temporarily deactivate the HUSKY plugin until patching is complete
Review web server logs for signs of exploitation attempts
Conduct a security audit of the WordPress installation for any signs of compromise
Implement WAF rules to block path traversal attempts targeting the AJAX endpoint

Patch Information

Pluginus has released patches addressing this vulnerability. Security fixes are available in the WordPress plugin repository changesets:

Update via the WordPress admin dashboard: Navigate to Plugins → Installed Plugins → HUSKY – Products Filter Professional for WooCommerce → Update Now.

Workarounds

Deactivate the HUSKY plugin until an update can be applied if the plugin is not critical to site operations
Implement server-level restrictions using ModSecurity or similar WAF to block requests containing path traversal patterns targeting admin-ajax.php
Restrict AJAX endpoint access at the web server level to authenticated users only if feasible for your site architecture
Add custom PHP code to functions.php to remove the vulnerable AJAX action handler temporarily

bash

# Apache ModSecurity rule to block path traversal attempts
SecRule ARGS:action "@streq woof_text_search" \
    "id:1001,\
    phase:2,\
    deny,\
    chain"
    SecRule ARGS:template "@contains ../" \
        "log,\
        msg:'CVE-2025-1661 LFI Attempt Blocked'"

CVE-2025-1661 Overview

Critical Impact
Unauthenticated attackers can achieve remote code execution by exploiting Local File Inclusion in the HUSKY plugin, enabling access control bypass, sensitive data theft, and full server compromise.

Affected Products

HUSKY – Products Filter Professional for WooCommerce versions ≤ 1.3.6.5
WordPress installations running the vulnerable plugin
WooCommerce-based e-commerce sites using HUSKY for product filtering

Discovery Timeline

2025-03-11 - CVE-2025-1661 published to NVD
2025-03-19 - Last updated in NVD database

Technical Details for CVE-2025-1661

Vulnerability Analysis

Root Cause

Validate that the requested template file exists within expected directories
Sanitize path traversal sequences (e.g., ../) from user input
Restrict file inclusion to a whitelist of allowed template files
Verify file extensions before inclusion

Attack Vector

The attack is network-based and requires no authentication or user interaction. An attacker can exploit this vulnerability by:

Sending a crafted HTTP request to the WordPress AJAX handler (wp-admin/admin-ajax.php)
Specifying the woof_text_search action
Manipulating the template parameter with path traversal sequences to reference arbitrary files
Achieving code execution when PHP files are included, or extracting sensitive data from configuration files

For technical details on the vulnerable code, see the WordPress Plugin Code Index and the Wordfence Vulnerability Report.

Detection Methods for CVE-2025-1661

Indicators of Compromise

Unusual HTTP POST requests to wp-admin/admin-ajax.php with action woof_text_search containing path traversal patterns (../)
Web server access logs showing requests with encoded path traversal sequences (%2e%2e%2f)
Unexpected file access patterns in PHP file inclusion logs
New or modified files in upload directories with PHP code embedded in image files

Detection Strategies

Monitor AJAX requests for the woof_text_search action with suspicious template parameter values
Implement Web Application Firewall (WAF) rules to detect and block path traversal attempts
Review WordPress error logs for failed file inclusion attempts indicating reconnaissance activity
Deploy endpoint detection solutions to identify unusual file access patterns by the web server process

Monitoring Recommendations

Enable verbose logging for WordPress AJAX handlers to capture full request parameters
Configure real-time alerting for path traversal pattern detection in web server logs
Monitor for unexpected PHP file creation or modification in the WordPress uploads directory
Implement file integrity monitoring on critical WordPress and plugin directories

How to Mitigate CVE-2025-1661

Immediate Actions Required

Update HUSKY – Products Filter Professional for WooCommerce plugin to a version newer than 1.3.6.5 immediately
If immediate update is not possible, temporarily deactivate the HUSKY plugin until patching is complete
Review web server logs for signs of exploitation attempts
Conduct a security audit of the WordPress installation for any signs of compromise
Implement WAF rules to block path traversal attempts targeting the AJAX endpoint

Patch Information

Pluginus has released patches addressing this vulnerability. Security fixes are available in the WordPress plugin repository changesets:

Update via the WordPress admin dashboard: Navigate to Plugins → Installed Plugins → HUSKY – Products Filter Professional for WooCommerce → Update Now.

Workarounds

Deactivate the HUSKY plugin until an update can be applied if the plugin is not critical to site operations
Implement server-level restrictions using ModSecurity or similar WAF to block requests containing path traversal patterns targeting admin-ajax.php
Restrict AJAX endpoint access at the web server level to authenticated users only if feasible for your site architecture
Add custom PHP code to functions.php to remove the vulnerable AJAX action handler temporarily

bash

# Apache ModSecurity rule to block path traversal attempts
SecRule ARGS:action "@streq woof_text_search" \
    "id:1001,\
    phase:2,\
    deny,\
    chain"
    SecRule ARGS:template "@contains ../" \
        "log,\
        msg:'CVE-2025-1661 LFI Attempt Blocked'"

CVE-2025-1661: WooCommerce HUSKY Filter RCE Vulnerability

CVE-2025-1661 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2025-1661

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2025-1661

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2025-1661

Immediate Actions Required

Patch Information

Workarounds

Experience the Most Advanced Cybersecurity Platform

CVE-2025-1661: WooCommerce HUSKY Filter RCE Vulnerability

CVE-2025-1661 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2025-1661

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2025-1661

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2025-1661

Immediate Actions Required

Patch Information

Workarounds

Experience the Most Advanced Cybersecurity Platform