HUSKY Products Filter Professional for WooCommerce Local File Inclusion Vulnerability

A local file inclusion vulnerability has been identified in the HUSKY – Products Filter Professional for WooCommerce plugin, affecting all versions through 1.3.6.5. The vulnerability arises in the 'template' parameter of the woof_text_search AJAX action, allowing unauthenticated attackers to include and execute arbitrary files on the server. This exploitation could bypass access controls, access sensitive data, or execute code in cases where files of certain types, like images, can be uploaded and included.

Impact

Exploitation of this vulnerability could lead to unauthorized file inclusion, allowing attackers to execute arbitrary PHP code on the server. This could be used to bypass access controls, access sensitive information, or execute malicious code, especially if the included files can be manipulated to interact with the WordPress environment or the server.

Reproduction

To reproduce this vulnerability, send a request to the 'woof_text_search' AJAX action with the 'template' parameter set to a value that includes the path to a file that should be accessible for inclusion. This can be done by exploiting the path traversal capability of the 'template' parameter to include arbitrary files from the server.

Remediation

Users are advised to update the HUSKY – Products Filter Professional for WooCommerce plugin to version 1.3.6.6 or later.