Volerion logoVolerion
Volerion logoVolerion

HUSKY Products Filter Professional for WooCommerce Insecure Direct Object Reference Vulnerability

Vulnerability

A vulnerability allowing Insecure Direct Object Reference has been identified in the HUSKY – Products Filter Professional for WooCommerce plugin for WordPress, affecting all versions through 1.3.7.3. The issue arises in the 'woof_add_subscr' function, where insufficient validation of a user-controlled key allows authenticated attackers with subscriber-level access or higher to create product messenger subscriptions for arbitrary users, including administrators.

Impact

Exploitation of this vulnerability could lead to unauthorized creation of product messenger subscriptions on behalf of other users, potentially including administrators.

Reproduction

To reproduce this vulnerability, an authenticated user with subscriber-level access or higher can send a request to the 'woof_add_subscr' function without the necessary validation on the 'user_id' key. This can be done by manipulating the request to include a 'user_id' that corresponds to the user for whom the subscription should be created.

Remediation

Users are advised to update the HUSKY – Products Filter Professional for WooCommerce plugin to version 1.3.7.4 or a newer patched version.

Added: Dec 18, 2025, 1:19 PM
Updated: Dec 18, 2025, 3:15 PM

Vulnerability Rating

Custom Algorithm
spread
3.4
impact
5.0
exploitability
6.0
remediation
7.7
relevance
1.5
threat
4.8
urgency
2.9
incentive
1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.