Description
A remote code execution issue was discovered in the WooCommerce Products Filter (aka WOOF) plugin before 2.2.0 for WordPress, as demonstrated by the shortcode parameter in a woof_redraw_woof action. The plugin implemented a page redraw AJAX function accessible to anyone without any authentication. WordPress shortcode markup in the "shortcode" parameters would be evaluated. Normally unauthenticated users can't evaluate shortcodes as they are often sensitive.
References (3)
Core 3
Core References
Release Notes x_refsource_misc
https://wordpress.org/plugins/woocommerce-products-filter/#developers
Third Party Advisory x_refsource_misc
https://sec-consult.com/en/blog/advisories/arbitrary-shortcode-execution-local-file-inclusion-in-woof-pluginus-net/index.html
Vendor Advisory x_refsource_misc
https://www.woocommerce-filter.com/update-woocommerce-products-filter-v-2-2-0/
Scores
CVSS v3
9.8
EPSS
0.0432
EPSS Percentile
90.0%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-287
Status
published
Products (1)
woocommerce-filter/woocommerce_products_filter
< 2.2.0
Published
Mar 14, 2018
Tracked Since
Feb 18, 2026