Overview
CVE-2025-13109 is a medium-severity vulnerability affecting the HUSKY – Products Filter Professional for WooCommerce plugin for WordPress. This Insecure Direct Object Reference (IDOR) flaw allows authenticated attackers, even with subscriber-level access, to manipulate saved search queries associated with other users, including administrators. The vulnerability exists in versions up to and including 1.3.7.2.
Technical Details
The vulnerability stems from missing validation on a user-controlled key within the woof_add_query and woof_remove_query functions. Specifically, the plugin fails to properly verify if the user initiating the request has the authority to modify the saved search queries associated with the targeted user’s profile. This allows an attacker to inject or delete arbitrary saved search queries into another user’s account by manipulating the request parameters.
CVSS Analysis
The Common Vulnerability Scoring System (CVSS) score for CVE-2025-13109 is 4.3. The CVSS vector is likely AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N. This score reflects the vulnerability’s medium severity due to the requirement for authentication and the limited impact on data confidentiality and availability. The primary impact is on integrity, as attackers can modify user-saved search queries.
Specifically:
- Attack Vector (AV): Network (N) – The vulnerability is exploitable over the network.
- Attack Complexity (AC): Low (L) – The attack requires minimal effort from the attacker.
- Privileges Required (PR): Low (L) – The attacker needs low-level privileges (e.g., subscriber).
- User Interaction (UI): None (N) – No user interaction is required for exploitation.
- Scope (S): Unchanged (U) – The vulnerability affects only the affected component.
- Confidentiality (C): None (N) – There is no impact on data confidentiality.
- Integrity (I): Low (L) – An attacker can modify some system components or data.
- Availability (A): None (N) – There is no impact on system availability.
Possible Impact
Exploitation of this vulnerability can lead to several negative consequences:
- Account Hijacking (Indirect): By manipulating saved searches, attackers could potentially craft searches that, when used by administrators, lead to malicious actions or information disclosure.
- Data Manipulation: Incorrect or malicious search results could be presented to users based on the manipulated saved searches, leading to incorrect business decisions.
- Defacement: While not direct, the ability to alter the user experience through manipulated search queries could be considered a form of website defacement.
Mitigation or Patch Steps
The recommended mitigation is to update the HUSKY – Products Filter Professional for WooCommerce plugin to the latest version. Check for updates within your WordPress dashboard or download the latest version from the WordPress plugin repository. The fix implemented in versions after 1.3.7.2 includes proper validation and authorization checks to prevent unauthorized modification of saved search queries.
