CVE-2025-1661
Published: 11 March 2025
Description
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Security Summary
CVE-2025-1661, published on 2025-03-11, is a Local File Inclusion vulnerability (CWE-22) in the HUSKY – Products Filter Professional for WooCommerce plugin for WordPress, affecting all versions up to and including 1.3.6.5. The issue arises via the 'template' parameter in the woof_text_search AJAX action, which allows inclusion and execution of arbitrary files on the server, including any PHP code within those files.
Unauthenticated attackers can exploit this vulnerability remotely with low attack complexity and no user interaction or privileges required, earning it a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). Exploitation enables attackers to execute arbitrary PHP code, bypass access controls, obtain sensitive data, or achieve code execution by uploading and including "safe" file types like images that contain PHP payloads.
Wordfence provides details on the vulnerability in its threat intelligence advisory. Patches addressing the issue appear in WordPress plugin trac changesets 3249621 and 3253169 for the woocommerce-products-filter repository, with related source code in the ext/by_text/index.php file. Security practitioners should update the plugin to mitigate exposure.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
LFI vulnerability in public-facing WordPress plugin enables remote unauthenticated RCE via arbitrary PHP file inclusion/execution, directly mapping to T1190 for initial exploitation and T1100 for web shell-style code execution (including via uploaded payloads).