HUSKY Vulnerability – Products Filter Professional for WooCommerce – Authenticated (Admin+) Local File Inclusion – CVE-2024-3061 | WordPress Plugin Vulnerability Report
Plugin Name: HUSKY – Products Filter Professional for WooCommerce
Key Information:
- Software Type: Plugin
- Software Slug: woocommerce-products-filter
- Software Status: Active
- Software Author: realmag777
- Software Downloads: 1,693,230
- Active Installs: 100,000
- Last Updated: April 1, 2024
- Patched Versions: 1.3.5.3
- Affected Versions: <= 1.3.5.2
Vulnerability Details:
- Name: HUSKY – Products Filter Professional for WooCommerce <= 1.3.5.2
- Title: Authenticated (Admin+) Local File Inclusion
- Type: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
- CVE: CVE-2024-3061
- CVSS Score: 7.2
- Publicly Published: March 28, 2024
- Researcher: haidv35 from Viettel Cyber Security - VCS
- Description: The HUSKY plugin, a pivotal tool for enhancing WooCommerce stores with advanced product filtering capabilities, has been found vulnerable to Local File Inclusion (LFI) in versions up to and including 1.3.5.2. The vulnerability, stemming from the improper handling of the 'type' parameter, allows attackers with administrative access to include and execute arbitrary server files. This could lead to the execution of malicious PHP code, potentially compromising the website's security.
Summary:
The HUSKY – Products Filter Professional for WooCommerce plugin harbors a significant security vulnerability in versions up to 1.3.5.2, which has been diligently addressed in the patched version 1.3.5.3. The vulnerability posed a considerable risk, enabling authenticated attackers to exploit the plugin's functionalities to execute arbitrary code.
Detailed Overview:
This vulnerability, uncovered by the vigilance of researcher haidv35 from Viettel Cyber Security, underscores the critical importance of stringent parameter validation within plugins. The potential for attackers to exploit this vulnerability to bypass access controls or extract sensitive data highlights the pressing need for prompt remediation measures. The release of the patched version 1.3.5.3 is a testament to the developers' commitment to securing their product and protecting their users from potential exploits.
Advice for Users:
- Immediate Action: Users are strongly encouraged to update their HUSKY plugin to the latest patched version, 1.3.5.3, to mitigate the risk posed by this vulnerability.
- Check for Signs of Vulnerability: Website administrators should review server logs and files for any indications of unauthorized access or file inclusion attempts, which could signal exploitation.
- Alternate Plugins: While the patched version addresses this specific vulnerability, users maintaining a cautious approach may explore other WooCommerce product filter plugins that meet their requirements.
- Stay Updated: Consistently updating plugins to their latest versions is essential in protecting WordPress sites from known vulnerabilities. Users should remain vigilant and proactive in applying updates to safeguard their online presence.
Conclusion:
The swift remediation of the Local File Inclusion vulnerability within the HUSKY – Products Filter Professional for WooCommerce plugin underscores the ongoing challenge of maintaining digital security in an ever-evolving threat landscape. By updating to version 1.3.5.3 or later, users can fortify their WordPress installations against this particular threat, reinforcing the critical role of timely updates in preserving the security and integrity of websites.
References:
- Wordfence Vulnerability Report for HUSKY – Products Filter Professional for WooCommerce
- Wordfence Vulnerabilities for HUSKY – Products Filter Professional for WooCommerce