HUSKY – Products Filter for WooCommerce (formerly WOOF) <= 1.3.5.2 - Authenticated (Subscriber+) Remote Code Execution

Wordfence Intelligence   >   Vulnerability Database   >   HUSKY – Products Filter for WooCommerce (formerly WOOF) <= 1.3.5.2 - Authenticated (Subscriber+) Remote Code Execution
9.9
Improper Control of Generation of Code ('Code Injection')
CVE CVE-2024-32680
CVSS 9.9 (Critical)
Publicly Published April 17, 2024
Last Updated April 25, 2024
Researcher beluga

Description

The HUSKY – Products Filter Professional for WooCommerce plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.3.5.2. This makes it possible for authenticated attackers, with subscriber-level access and above, to execute code on the server.

References

Share

Vulnerability Details for HUSKY – Products Filter Professional for WooCommerce

HUSKY – Products Filter Professional for WooCommerce

Software Type Plugin
Software Slug woocommerce-products-filter (view on wordpress.org)
Patched? Yes
Remediation Update to version 1.3.5.3, or a newer patched version
Affected Version
  • <= 1.3.5.2
Patched Version
  • 1.3.5.3

Recent vulnerabilities in HUSKY – Products Filter Professional for WooCommerce

HUSKY – Products Filter Professional for WooCommerce <= 1.3.7.3 - Authenticated (Subscriber+) Insecure Direct Object Reference via 'woof_add_subscr'
4.3
CVE-2025-13110
Dec 17, 2025
Researcher: Athiwat Tiprasaharn (Jitlada)
HUSKY – Products Filter Professional for WooCommerce <= 1.3.7.2 - Authenticated (Subscriber+) Insecure Direct Object Reference via 'woof_add_query/woof_remove_query'
4.3
CVE-2025-13109
Dec 3, 2025
Researcher: Athiwat Tiprasaharn (Jitlada)
HUSKY – Products Filter Professional for WooCommerce <= 1.3.7.1 - Unauthenticated SQL Injection via `phrase` Parameter
7.5
CVE-2025-11735
Oct 27, 2025
Researcher: LionTree
HUSKY <= 1.3.7 - Authenticated (Contributor+) Local File Inclusion
8.8
CVE-2025-52708
Jun 19, 2025
Researcher: LVT-tholv2k
HUSKY – Products Filter Professional for WooCommerce <= 1.3.6.4 - Unauthenticated Local File Inclusion
7.5
CVE-2025-26890
Mar 14, 2025
Researcher: Dimas Maulana
HUSKY – Products Filter Professional for WooCommerce <= 1.3.6.5 - Unauthenticated Local File Inclusion
9.8
CVE-2025-1661
Mar 10, 2025
Researcher: Hiroho Shimada
HUSKY – Products Filter for WooCommerce <= 1.3.6.3 - Reflected Cross-Site Scripting via really_curr_tax Parameter
6.1
CVE-2024-11400
Nov 19, 2024
Researcher: Daniel Scheidt
HUSKY – Products Filter Professional for WooCommerce <= 1.3.6.1 - Insecure Direct Object Reference to Unsubscribe
5.3
CVE-2024-7491
Sep 24, 2024
Researcher: shaman0x01
HUSKY <= 1.3.6.1 - Authenticated (Shop Manager+) Arbitrary Options Update
7.2
CVE-2024-43121
Aug 7, 2024
Researcher: Rafie Muhammad
HUSKY - Products Filter Professional for WooCommerce <= 1.3.6 - Unauthenticated Time-Based SQL Injection
9.8
CVE-2024-6457
Jul 15, 2024
Researcher: Arkadiusz Hydzik
# Title CVE ID CVSS Researchers Date
1 HUSKY – Products Filter Professional for WooCommerce <= 1.3.7.3 - Authenticated (Subscriber+) Insecure Direct Object Reference via 'woof_add_subscr' CVE-2025-13110 4.3 Athiwat Tiprasaharn (Jitlada) December 17, 2025
2 HUSKY – Products Filter Professional for WooCommerce <= 1.3.7.2 - Authenticated (Subscriber+) Insecure Direct Object Reference via 'woof_add_query/woof_remove_query' CVE-2025-13109 4.3 Athiwat Tiprasaharn (Jitlada) December 3, 2025
3 HUSKY – Products Filter Professional for WooCommerce <= 1.3.7.1 - Unauthenticated SQL Injection via `phrase` Parameter CVE-2025-11735 7.5 LionTree October 27, 2025
4 HUSKY <= 1.3.7 - Authenticated (Contributor+) Local File Inclusion CVE-2025-52708 8.8 LVT-tholv2k June 19, 2025
5 HUSKY – Products Filter Professional for WooCommerce <= 1.3.6.4 - Unauthenticated Local File Inclusion CVE-2025-26890 7.5 Dimas Maulana March 14, 2025
6 HUSKY – Products Filter Professional for WooCommerce <= 1.3.6.5 - Unauthenticated Local File Inclusion CVE-2025-1661 9.8 Hiroho Shimada March 10, 2025
7 HUSKY – Products Filter for WooCommerce <= 1.3.6.3 - Reflected Cross-Site Scripting via really_curr_tax Parameter CVE-2024-11400 6.1 Daniel Scheidt November 19, 2024
8 HUSKY – Products Filter Professional for WooCommerce <= 1.3.6.1 - Insecure Direct Object Reference to Unsubscribe CVE-2024-7491 5.3 shaman0x01 September 24, 2024
9 HUSKY <= 1.3.6.1 - Authenticated (Shop Manager+) Arbitrary Options Update CVE-2024-43121 7.2 Rafie Muhammad August 7, 2024
10 HUSKY - Products Filter Professional for WooCommerce <= 1.3.6 - Unauthenticated Time-Based SQL Injection CVE-2024-6457 9.8 Arkadiusz Hydzik July 15, 2024
View more vulnerabilities in this software package View more vulnerabilities

This record contains material that is subject to copyright.

Copyright 2012-2026 Defiant Inc.

License: Defiant hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute this software vulnerability information. Any copy of the software vulnerability information you make for such purposes is authorized provided that you include a hyperlink to this vulnerability record and reproduce Defiant's copyright designation and this license in any such copy. Read more.

Copyright 1999-2026 The MITRE Corporation

License: CVE Usage: MITRE hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute Common Vulnerabilities and Exposures (CVE®). Any copy you make for such purposes is authorized provided that you reproduce MITRE's copyright designation and this license in any such copy. Read more.

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation