WordPress Plugin Vulnerabilities

HUSKY – Products Filter Professional for WooCommerce < 1.3.6.2 - Insecure Direct Object Reference to Unsubscribe

Description

The HUSKY – Products Filter Professional for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.3.6.1 via the woof_messenger_remove_subscr AJAX action due to missing validation on the 'key' user controlled key. This makes it possible for authenticated attackers, with subscriber-level access and above, to unsubscribe users from a product notification sign-ups, if they can successfully obtain or brute force the key value for users who signed up to receive notifications. This vulnerability requires the plugin's Products Messenger extension to be enabled.

Affects Plugins

Plugin icon
woocommerce-products-filter
Fixed in 1.3.6.2

References

CVE
CVE-2024-7491
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/daf6b0d5-79a6-4b8f-924e-9e78cb2b5742

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
shaman0x01
Verified
No
WPVDB ID
fb9163d2-6e2d-47f2-86b2-57a04872c39e

Timeline

Publicly Published
2024-09-24 (about 1 year ago)
Added
2024-09-24 (about 1 year ago)
Last Updated
2024-09-25 (about 1 year ago)

Other

Published
Title
Published
2024-12-11
Title
Child Theme Creator by Orbisius < 1.5.6 - Missing Authorization to Authenticated (Subscriber+) Cloud Snippet Update/Delete
Published
2025-12-31
Title
Tasty Recipes Lite < 1.1.6 - Missing Authorization
Published
2024-05-29
Title
Block Bad Bots and Stop Bad Bots Crawlers and Spiders and Anti Spam Protection < 10.24 - Missing Authorization to Information Expsoure
Published
2025-12-23
Title
Share, Print and PDF Products for WooCommerce <= 3.1.2 - Missing Authorization
Published
2023-12-26
Title
Essential Blocks for Gutenberg < 4.2.1 - Contributor+ Unauthorised Actions