CVE-2025-1661

CRITICAL EXPLOITED NUCLEI

HUSKY Products Filter Professional for WooCommerce <= 1.3.6.5 - Local File Inclusion via 'template'

Title source: llm

Exploitation Summary

CVE-2025-1661 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 4 public exploits from researchers including iSee857, gbrsh, shahwarshah. A Nuclei detection template is also available.

AI-analyzed exploit summary The repository contains a functional exploit for CVE-2026-22812, demonstrating remote command execution (RCE) in OpenCode. The script sends a crafted JSON payload to the target's session endpoint, then executes commands via the shell endpoint, verifying success by checking for 'uid=' and 'gid=' in the response.

Description

The HUSKY – Products Filter Professional for WooCommerce plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.3.6.5 via the 'template' parameter of the woof_text_search AJAX action. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.

Exploits (4)

github WORKING POC 40 stars

by iSee857 · pythonpoc

https://github.com/iSee857/CVE-PoC/tree/main/WooCommerce_CVE-2025-1661-LFI.py

View Code ZIP pw:eip

The repository contains a functional exploit for CVE-2026-22812, demonstrating remote command execution (RCE) in OpenCode. The script sends a crafted JSON payload to the target's session endpoint, then executes commands via the shell endpoint, verifying success by checking for 'uid=' and 'gid=' in the response.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: OpenCode (version not specified)

No auth needed

Prerequisites: Network access to the target · Target running vulnerable OpenCode instance

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 27, 2026 Full analysis →

nomisec WORKING POC 1 stars

by gbrsh · remote

https://github.com/gbrsh/CVE-2025-1661

View Code ZIP pw:eip

This is a functional exploit for CVE-2025-1661, targeting a Local File Inclusion (LFI) vulnerability in HUSKY – Products Filter Professional for WooCommerce. The exploit can escalate to Remote Code Execution (RCE) via log poisoning.

Classification

Working Poc 95%

Attack Type

Rce | Lfi

Complexity

Moderate

Reliability

Reliable

Target: HUSKY – Products Filter Professional for WooCommerce < 1.3.6.6

No auth needed

Prerequisites: Target must be running a vulnerable version of the plugin · Access to the target's web server logs for RCE

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1200 - Hardware Additions T1210 - Exploitation of Remote Services

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WRITEUP

by shahwarshah · poc

https://github.com/shahwarshah/CVE-2025-1661

View Code ZIP pw:eip

This repository contains a detailed writeup and proof-of-concept for CVE-2025-1661, an unauthenticated Local File Inclusion (LFI) vulnerability in the HUSKY – Products Filter Professional for WooCommerce plugin for WordPress. The vulnerability allows attackers to include and execute arbitrary files on the server via the `template` parameter of the `woof_text_search` AJAX action.

Classification

Writeup 100%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: HUSKY – Products Filter Professional for WooCommerce <= 1.3.6.5

No auth needed

Prerequisites: Access to the target website · Ability to send HTTP requests

MITRE ATT&CK

T1006 - Direct Volume Access

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC

by MuhammadWaseem29 · infoleak

https://github.com/MuhammadWaseem29/CVE-2025-1661

View Code ZIP pw:eip

This repository contains a proof-of-concept for an unauthenticated Local File Inclusion (LFI) vulnerability in the HUSKY – Products Filter Professional for WooCommerce plugin. The exploit leverages the `template` parameter in the `woof_text_search` AJAX action to read arbitrary files from the server.

Classification

Working Poc 95%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: HUSKY – Products Filter Professional for WooCommerce <= 1.3.6.5

No auth needed

Prerequisites: Target must have the vulnerable plugin installed and active

MITRE ATT&CK

T1006 - Direct Volume Access

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

HUSKY – Products Filter Professional for WooCommerce <= 1.3.6.5 - Unauthenticated Local File Inclusion

CRITICALVERIFIEDby iamnoooob,rootxharsh,pdresearch

References (4)

Core 4

Core References

Product

https://plugins.trac.wordpress.org/browser/woocommerce-products-filter/trunk/ext/by_text/index.php

Patch

https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3249621%40woocommerce-products-filter&new=3249621%40woocommerce-products-filter&sfp_email=&sfph_mail=

Patch

https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3253169%40woocommerce-products-filter&new=3253169%40woocommerce-products-filter&sfp_email=&sfph_mail=

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/9ae7b6fc-2120-4573-8b1b-d5422d435fa5?source=cve

Scores

CVSS v3 9.8

EPSS 0.9315

EPSS Percentile 99.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

VulnCheck KEV 2025-03-10

CWE

CWE-22

Status published

Products (2)

pluginus/husky_-_products_filter_professional_for_woocommerce < 1.3.6.6

realmag777/HUSKY – Products Filter Professional for WooCommerce < 1.3.6.5

Published Mar 11, 2025

Tracked Since Feb 18, 2026