WordPress Plugin Vulnerabilities

HUSKY – Products Filter Professional for WooCommerce < 1.3.7.4 - Authenticated (Subscriber+) Insecure Direct Object Reference via 'woof_add_subscr'

Description

The HUSKY – Products Filter Professional for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.3.7.3 via the "woof_add_subscr" function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with subscriber level access and above, to create product messenger subscriptions on behalf of arbitrary users, including administrators.

Affects Plugins

Plugin icon
woocommerce-products-filter
Fixed in 1.3.7.4

References

CVE
CVE-2025-13110
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/9ea2dfc5-0dcc-4ea1-9ade-d59021e078fa

Classification

Type
IDOR
OWASP top 10
A5: Broken Access Control
CWE
CWE-639
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Athiwat Tiprasaharn (Jitlada)
Verified
No
WPVDB ID
a46cc5ba-3c88-49d8-a067-b0eab0336775

Timeline

Publicly Published
2025-12-17 (about 6 months ago)
Added
2025-12-18 (about 6 months ago)
Last Updated
2025-12-18 (about 6 months ago)

Other

Published
Title
Published
2022-11-12
Title
Workreap - Freelance Marketplace and Directory < 2.6.3 - Subscriber+ Private Message Disclosure via IDOR
Published
2024-03-28
Title
ProfileGrid < 5.7.3 - Authenticated (Subscriber+) Insecure Direct Object Reference
Published
2024-05-15
Title
BuddyBoss Platform < 2.6.0 - Subscriber+ Comment on Private Post via IDOR
Published
2024-08-16
Title
wpForo Forum < 2.3.5 - Authenticated (Subscriber+) Insecure Direct Object Reference
Published
2025-05-13
Title
Latepoint < 5.1.93 - Unauthenticated Insecure Direct Object Reference