WordPress Plugin Vulnerabilities

HUSKY – Products Filter Professional for WooCommerce < 1.3.7.3 - Authenticated (Subscriber+) Insecure Direct Object Reference via 'woof_add_query/woof_remove_query'

Description

The HUSKY – Products Filter Professional for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.3.7.2 via the "woof_add_query" and "woof_remove_query" functions due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with subscriber level access and above, to insert or remove arbitrary saved search queries into any user's profile, including administrators.

Affects Plugins

Plugin icon
woocommerce-products-filter
Fixed in 1.3.7.3

References

CVE
CVE-2025-13109
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/9effc186-c225-4b3b-9b8c-c453505a41de

Classification

Type
IDOR
OWASP top 10
A5: Broken Access Control
CWE
CWE-639
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Athiwat Tiprasaharn (Jitlada)
Verified
No
WPVDB ID
a05acedc-67ee-452c-9c24-3f83c878663a

Timeline

Publicly Published
2025-12-03 (about 6 months ago)
Added
2025-12-03 (about 6 months ago)
Last Updated
2025-12-03 (about 6 months ago)

Other

Published
Title
Published
2025-04-16
Title
Forminator < 1.42.1 - Order Replay Vulnerability
Published
2024-04-01
Title
Tickera < 3.5.2.5 - Ticket leakage through IDOR
Published
2024-06-21
Title
Bricks Builder < 1.9.9 - Insecure Direct Object Reference
Published
2026-06-22
Title
User Registration & Membership < 5.2.2 - Subscriber+ Cross-User Role and Membership Tier Modification via IDOR
Published
2024-11-11
Title
Futurio Extra < 2.0.14 - Authenticated (Contributor+) Post Disclosure