WordPress Plugin Vulnerabilities

HUSKY – Products Filter for WooCommerce Professional < 1.3.5.3 - Contributor+ SQL Injection

Description

The HUSKY – Products Filter for WooCommerce Professional plugin is vulnerable to SQL Injection via the 'name' parameter in the woof shortcode. This makes it possible for authenticated attackers, with contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

Affects Plugins

Plugin icon
woocommerce-products-filter
Fixed in 1.3.5.3

References

CVE
CVE-2024-1795
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/fff8dfbc-fd59-47db-85bb-de2a7c6a9a5f

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
8.8 (high)

Miscellaneous

Original Researcher
Krzysztof Zając, Bassem Essam
Verified
No
WPVDB ID
aeb9b958-9ade-41a5-9881-efbff66e6870

Timeline

Publicly Published
2024-03-14 (about 2 years ago)
Added
2024-03-18 (about 2 years ago)
Last Updated
2024-03-18 (about 2 years ago)

Other

Published
Title
Published
2021-10-07
Title
Chameleon CSS <= 1.2 - Subscriber+ SQL Injection
Published
2025-03-03
Title
Multiple Shipping And Billing Address For Woocommerce < 1.5 - Unauthenticated SQL Injection
Published
2025-04-01
Title
Front End Users < 3.2.33 - Authenticated (Admin+) SQL injection
Published
2021-11-15
Title
Modern Events Calendar < 6.1.5 - Unauthenticated Blind SQL Injection
Published
2025-04-21
Title
Hospital Management System <= 47.0(20-11-2023) - Authenticated (Subscriber+) SQL Injection