HUSKY < 1.3.6.2 – Authenticated (Shop Manager+) Arbitrary Options Update | CVE 2024-43121 | Plugin Vulnerabilities

Description

The HUSKY – Products Filter Professional for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to missing option validation on the do_import_data() function in all versions up to, and including, 1.3.6.1. This makes it possible for authenticated attackers, with Shop Manager-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.

Affects Plugins

woocommerce-products-filter

Fixed in 1.3.6.2

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/02af50bf-d0f3-4dd7-89bd-dd60c33b5097

Classification

Type

ACCESS CONTROLS

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Rafie Muhammad

Verified

No

WPVDB ID

3fc09e42-1fdc-432f-8dcb-2254b7d42ccc

Timeline

Publicly Published

2024-08-07 (about 1 year ago)

Added

2024-08-15 (about 1 year ago)

Last Updated

2024-08-15 (about 1 year ago)

Other

Published

Title

Published

2026-02-18

Title

Advanced Ads – Ad Manager & AdSense < 2.0.15 - Missing Authorization to Authenticated (Subscriber+) Ad Placements Update

Published

2026-06-04

Title

InPost PL < 1.9.1 - Unauthenticated WooCommerce Order Parcel-Locker Hijacking

Published

2024-03-25

Title

Meta Box < 5.9.4 - Contributor+ Arbitrary Posts' Custom Field Disclosure

Published

2023-11-28

Title

JetEngine < 3.2.5 - Authenticated (Contributor+) Privilege Escalation

Published

2021-10-19

Title

Download Plugin < 1.6.1 - Subscriber+ Arbitrary Plugin Activation