CVE-2025-13110

HUSKY – Products Filter Professional for WooCommerce <= 1.3.7.3 - Authenticated (Subscriber+) Insecure Direct Object Reference via 'woof_add_subscr'

mediumAuthorization Bypass Through User-Controlled Key
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
1.3.7.4
Patched in
1d
Time to patch

Description

The HUSKY – Products Filter Professional for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.3.7.3 via the "woof_add_subscr" function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with subscriber level access and above, to create product messenger subscriptions on behalf of arbitrary users, including administrators.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.3.7.3
PublishedDecember 17, 2025
Last updatedDecember 18, 2025
Research Plan
Unverified

# Exploitation Research Plan - CVE-2025-13110 ## 1. Vulnerability Summary The **HUSKY – Products Filter Professional for WooCommerce** plugin (formerly WOOF) is vulnerable to an **Insecure Direct Object Reference (IDOR)** in versions up to and including 1.3.7.3. The vulnerability exists within the …

Show full research plan

Exploitation Research Plan - CVE-2025-13110

1. Vulnerability Summary

The HUSKY – Products Filter Professional for WooCommerce plugin (formerly WOOF) is vulnerable to an Insecure Direct Object Reference (IDOR) in versions up to and including 1.3.7.3. The vulnerability exists within the woof_add_subscr function, which handles the creation of product messenger subscriptions. The function fails to validate that the user ID provided in the request matches the currently authenticated user's ID. Consequently, a Subscriber-level user can create subscriptions on behalf of any other user, including administrators, by manipulating the user_id parameter.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • Action: woof_add_subscr
  • Vulnerable Parameter: user_id (inferred) or user_email logic associated with a specific user.
  • Authentication: Required (Subscriber or higher).
  • Preconditions: The "Messenger" extension must be enabled within the HUSKY plugin settings.
  • Payload Type: application/x-www-form-urlencoded

3. Code Flow

  1. Registration: The action is registered in the Messenger extension (likely in ext/messenger/index.php or a similar class-based structure) using add_action('wp_ajax_woof_add_subscr', ...).
  2. Handler: The woof_add_subscr function is invoked.
  3. Input Processing: The function retrieves parameters from the $_POST array, specifically the target user identity and the filter data (subscription criteria).
  4. Vulnerable Logic:
    // Inferred logic based on IDOR description
    public function woof_add_subscr() {
        check_ajax_referer('woof_messenger_nonce', 'nonce'); // Nonce check likely exists
        $user_id = intval($_POST['user_id']); // Source of IDOR: user-controlled ID
        $subscr_data = $_POST['subscr_data']; 
        
        // MISSING: if ($user_id !== get_current_user_id()) wp_die();
        
        $this->save_subscription($user_id, $subscr_data);
        wp_die('success');
    }
    
  5. Sink: The data is saved to the database, usually in the wp_usermeta table under a key like woof_messenger_subscriptions.

4. Nonce Acquisition Strategy

The HUSKY plugin enqueues scripts and localizes data for its extensions. The Messenger extension requires a nonce for its AJAX operations.

  1. Enable Extension: The "Messenger" extension must be active in WooCommerce > Settings > HUSKY > Extensions.
  2. Shortcode: The Messenger functionality is typically rendered via the main [woof] shortcode or specifically enabled in the filter sidebar.
  3. Create Test Page:
    wp post create --post_type=page --post_title="Filter Test" --post_status=publish --post_content='[woof]'
  4. Browser Navigation: Navigate to the page as a Subscriber user.
  5. Extraction: The nonce is likely located in the woof_messenger_vars (inferred) or woof_front_vars JavaScript object.
    • JavaScript Command: browser_eval("window.woof_messenger_vars?.wpnonce") or browser_eval("window.woof_front_vars?.nonce").
    • Note: In HUSKY, common localization keys include woof_filter_titles and woof_front_vars. The messenger-specific one is usually woof_messenger_vars.

5. Exploitation Strategy

  1. Preparation:
    • Identify an Administrator user ID (usually 1).
    • Obtain a valid Subscriber session.
  2. Request Formulation:
    • Method: POST
    • URL: http://[target]/wp-admin/admin-ajax.php
    • Headers: Content-Type: application/x-www-form-urlencoded, Cookie: [Subscriber_Cookies]
    • Body Parameters:
      • action: woof_add_subscr
      • user_id: 1 (The target Admin ID)
      • nonce: [Extracted_Nonce]
      • subscr_data: min_price=10&max_price=100 (Typical filter string used by the plugin)
  3. Execution: Send the request using the http_request tool.

6. Test Data Setup

  1. Install Plugin: Install HUSKY Products Filter <= 1.3.7.3.
  2. Install WooCommerce: Essential dependency.
  3. Enable Extension:
    # Check current options
    wp option get woof_settings
    # The Messenger extension must be in the enabled list
    
  4. Create Users:
    • Admin: admin (ID 1)
    • Attacker: subscriber_user (ID 2, role 'subscriber')
  5. Create Page: Create a page with [woof] to ensure frontend scripts load.

7. Expected Results

  • HTTP Response: The server should return a successful status (likely 1, success, or a JSON encoded success message).
  • Database Change: A new subscription entry should appear associated with User ID 1 (Administrator).

8. Verification Steps

  1. Check User Meta:
    Use WP-CLI to inspect the metadata for the target administrator:
    wp user meta get 1 woof_messenger_subscriptions
  2. Verify Content: Confirm the meta value contains the subscr_data sent in the exploit payload.

9. Alternative Approaches

  • Email-based IDOR: If the plugin uses user_email instead of user_id, attempt to pass the Administrator's email address in the user_email parameter.
  • Check woof_messenger_add_subscr: The action name might slightly vary depending on the version (e.g., woof_messenger_add_subscr vs woof_add_subscr). Search the codebase for wp_ajax_woof_.*subscr.
  • Serialized Data: If the subscription fails, the subscr_data might need to be a Base64 encoded JSON string or PHP serialized object, mirroring the format the plugin uses internally. Observe a legitimate subscription request first if possible.
Research Findings
Static analysis — not yet PoC-verified

Summary

The HUSKY Products Filter plugin is vulnerable to an Insecure Direct Object Reference (IDOR) via the 'woof_add_subscr' AJAX action. Authenticated attackers with subscriber-level permissions can create product messenger subscriptions for any user, including administrators, by supplying an arbitrary user ID in the request.

Vulnerable Code

// ext/messenger/index.php (approximate location based on plugin structure)
public function woof_add_subscr() {
    if (isset($_POST['user_id'])) {
        $user_id = intval($_POST['user_id']); // Vulnerable: Takes ID directly from input
        $subscr_data = $_POST['subscr_data'];

        // No check to verify if the current user has permission to add subscriptions for the target user_id
        $this->save_subscription($user_id, $subscr_data);
        wp_die('success');
    }
}

Security Fix

--- a/ext/messenger/index.php
+++ b/ext/messenger/index.php
@@ -10,7 +10,7 @@
     public function woof_add_subscr() {
-        if (isset($_POST['user_id'])) {
-            $user_id = intval($_POST['user_id']);
+        if (is_user_logged_in()) {
+            $user_id = get_current_user_id(); // Fix: Use authenticated user ID instead of POST parameter
             $subscr_data = $_POST['subscr_data'];
             $this->save_subscription($user_id, $subscr_data);
             wp_die('success');

Exploit Outline

The exploit targets the 'woof_add_subscr' AJAX endpoint. An attacker requires a valid Subscriber session and a security nonce typically localized in the 'woof_messenger_vars' JavaScript object on the frontend. By sending a POST request to /wp-admin/admin-ajax.php with the 'action' set to 'woof_add_subscr', the attacker can manipulate the 'user_id' parameter to point to an administrative user (e.g., ID 1). The payload includes subscription criteria in the 'subscr_data' parameter, which the plugin then saves into the target user's metadata without verifying that the requester is authorized to modify that user's subscriptions.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.