WordPress Plugin Vulnerability Report – HUSKY – Missing Authorization via woof_meta_get_keys() – CVE-2023-40334

Plugin Name: HUSKY

Key Information:

  • Software Type: Plugin
  • Software Slug: woocommerce-products-filter
  • Software Status: Active
  • Software Author: realmag777
  • Software Downloads: 1,602,499
  • Active Installs: 100,000
  • Last Updated: November 23, 2023
  • Patched Versions: 1.3.4.3
  • Affected Versions: <= 1.3.4.2

Vulnerability Details:

  • Name: HUSKY – Products Filter for WooCommerce (formerly WOOF) <= 1.3.4.2 - Missing Authorization via woof_meta_get_keys()
  • Title: Missing Authorization via woof_meta_get_keys()
  • Type: Missing Authorization
  • CVE: CVE-2023-40334
  • CVSS Score: 4.3 (Medium)
  • Publicly Published: November 23, 2023
  • Researcher: thiennv
  • Description: The HUSKY – Products Filter for WooCommerce (formerly WOOF) plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the woof_meta_get_keys() function in versions up to, and including, 1.3.4.2. This makes it possible for authenticated attackers, with contributor-level access and above, to retrieve meta key values.

Summary:

The HUSKY for WordPress has a vulnerability in versions up to and including 1.3.4.2 that allows missing authorization due to no capability check on the woof_meta_get_keys() function. This vulnerability has been patched in version 1.3.4.3.

Detailed Overview:

The HUSKY plugin failed to check user capabilities before allowing access to the woof_meta_get_keys() function which retrieves meta key data. This means that any authenticated user, even those with only contributor access, could access sensitive data they should not have access to. This could expose confidential business or customer data. The vulnerability has been addressed by adding proper capability checks in version 1.3.4.3.

Advice for Users:

  1. Immediate Action: Update to version 1.3.4.3 or higher as soon as possible.
  2. Check for Signs of Vulnerability: Review logs for any suspicious access of meta key data by users that should not have that level of access.
  3. Alternate Plugins: Consider alternative product filter plugins like WooCommerce Product Filter as a precaution.
  4. Stay Updated: Always keep plugins updated to avoid vulnerabilities. There have been 4 previous vulnerabilities in HUSKY since March 2018.

Conclusion:

The fast response of the HUSKY developers to patch this vulnerability shows the importance of rapid updates. Users should upgrade to version 1.3.4.3 or later to protect their WooCommerce stores.

References:

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/woocommerce-products-filter

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/woocommerce-products-filter/husky-products-filter-for-woocommerce-formerly-woof-1342-missing-authorization-via-woof-meta-get-keys

Detailed Report:

Do you use the HUSKY – Products Filter plugin on your WooCommerce store? If so, a recently disclosed vulnerability may have put your site at risk. This week a missing authorization vulnerability was revealed that could allow some users to access data they shouldn’t be able to. This highlights precisely why it’s so important to keep your WordPress site and its plugins completely up-to-date. Outdated software contains vulnerabilities that hackers actively exploit to break into sites, steal data, and more.

We want to spread awareness about this recent HUSKY vulnerability, provide specific actions site owners can take, and reinforce why comprehensive WordPress security including timely updates is essential. Don’t panic, but do take a few minutes to check if your site was vulnerable and patch if needed. We also offer web security audits and can help verify your site’s protection. The HUSKY issue exemplifies why site security requires vigilance – let us know if you have any concerns at all about protecting your site.

The HUSKY plugin is a popular WooCommerce product filter tool with over 1.6 million downloads. Versions up to and including 1.3.4.2 contain a vulnerability that fails to check user access levels before allowing view of sensitive product meta data. This means users with only contributor access could view data they should not have access to.

Specifically, the woof_meta_get_keys() function does not check capabilities or roles before returning product meta keys. So an attacker with contributor or even lower access could potentially expose confidential business information or customer data that should be protected.

To resolve this issue, site owners using HUSKY should update to version 1.3.4.3 immediately. You should also review site logs for any suspicious access by users who should not have permission to view such data. And going forward, always keep HUSKY and all other plugins updated to avoid vulnerabilities.

This is not the first vulnerability found in HUSKY, with 4 previous issues disclosed since March 2018. The rapid update from the plugin developers is reassuring, but underscores the ongoing importance of timely security updates.

As a small business owner, you simply do not have time to constantly monitor for plugin vulnerabilities and updates. But failing to update has severe risks, as outdated plugins are a prime target for attacks. We strongly advise enabling automatic WordPress updates to stay on top of vulnerabilities without constant oversight. Security cannot be an afterthought - let us know if you need any help keeping your site and customer data safe.

Don't tackle WordPress security alone - the consequences of a breach are too great. At Your WP Guy, our managed WordPress maintenance services include layers of protection like auto-updates, malware scanning, firewalls and 24/7 monitoring by WordPress experts. We become your outsourced IT team.

Let's chat about migrating your site to our managed hosting so you can finally stop worrying about security issues. We'll fully audit and lock down your site as part of onboarding. Call us at 678-995-5169 to keep your business safe online.

WordPress Plugin Vulnerability Report – HUSKY – Missing Authorization via woof_meta_get_keys() – CVE-2023-40334 FAQs

Leave a Comment