HUSKY – Products Filter Professional for WooCommerce <= 1.3.7.3 - Authenticated (Subscriber+) Insecure Direct Object Reference via 'woof_add_subscr'
Description
The HUSKY – Products Filter Professional for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.3.7.3 via the "woof_add_subscr" function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with subscriber level access and above, to create product messenger subscriptions on behalf of arbitrary users, including administrators.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NTechnical Details
<=1.3.7.3# Exploitation Research Plan - CVE-2025-13110 ## 1. Vulnerability Summary The **HUSKY – Products Filter Professional for WooCommerce** plugin (formerly WOOF) is vulnerable to an **Insecure Direct Object Reference (IDOR)** in versions up to and including 1.3.7.3. The vulnerability exists within the …
Show full research plan
Exploitation Research Plan - CVE-2025-13110
1. Vulnerability Summary
The HUSKY – Products Filter Professional for WooCommerce plugin (formerly WOOF) is vulnerable to an Insecure Direct Object Reference (IDOR) in versions up to and including 1.3.7.3. The vulnerability exists within the woof_add_subscr function, which handles the creation of product messenger subscriptions. The function fails to validate that the user ID provided in the request matches the currently authenticated user's ID. Consequently, a Subscriber-level user can create subscriptions on behalf of any other user, including administrators, by manipulating the user_id parameter.
2. Attack Vector Analysis
- Endpoint:
/wp-admin/admin-ajax.php - Action:
woof_add_subscr - Vulnerable Parameter:
user_id(inferred) oruser_emaillogic associated with a specific user. - Authentication: Required (Subscriber or higher).
- Preconditions: The "Messenger" extension must be enabled within the HUSKY plugin settings.
- Payload Type:
application/x-www-form-urlencoded
3. Code Flow
- Registration: The action is registered in the Messenger extension (likely in
ext/messenger/index.phpor a similar class-based structure) usingadd_action('wp_ajax_woof_add_subscr', ...). - Handler: The
woof_add_subscrfunction is invoked. - Input Processing: The function retrieves parameters from the
$_POSTarray, specifically the target user identity and the filter data (subscription criteria). - Vulnerable Logic:
// Inferred logic based on IDOR description public function woof_add_subscr() { check_ajax_referer('woof_messenger_nonce', 'nonce'); // Nonce check likely exists $user_id = intval($_POST['user_id']); // Source of IDOR: user-controlled ID $subscr_data = $_POST['subscr_data']; // MISSING: if ($user_id !== get_current_user_id()) wp_die(); $this->save_subscription($user_id, $subscr_data); wp_die('success'); } - Sink: The data is saved to the database, usually in the
wp_usermetatable under a key likewoof_messenger_subscriptions.
4. Nonce Acquisition Strategy
The HUSKY plugin enqueues scripts and localizes data for its extensions. The Messenger extension requires a nonce for its AJAX operations.
- Enable Extension: The "Messenger" extension must be active in WooCommerce > Settings > HUSKY > Extensions.
- Shortcode: The Messenger functionality is typically rendered via the main
[woof]shortcode or specifically enabled in the filter sidebar. - Create Test Page:
wp post create --post_type=page --post_title="Filter Test" --post_status=publish --post_content='[woof]' - Browser Navigation: Navigate to the page as a Subscriber user.
- Extraction: The nonce is likely located in the
woof_messenger_vars(inferred) orwoof_front_varsJavaScript object.- JavaScript Command:
browser_eval("window.woof_messenger_vars?.wpnonce")orbrowser_eval("window.woof_front_vars?.nonce"). - Note: In HUSKY, common localization keys include
woof_filter_titlesandwoof_front_vars. The messenger-specific one is usuallywoof_messenger_vars.
- JavaScript Command:
5. Exploitation Strategy
- Preparation:
- Identify an Administrator user ID (usually
1). - Obtain a valid Subscriber session.
- Identify an Administrator user ID (usually
- Request Formulation:
- Method: POST
- URL:
http://[target]/wp-admin/admin-ajax.php - Headers:
Content-Type: application/x-www-form-urlencoded,Cookie: [Subscriber_Cookies] - Body Parameters:
action:woof_add_subscruser_id:1(The target Admin ID)nonce:[Extracted_Nonce]subscr_data:min_price=10&max_price=100(Typical filter string used by the plugin)
- Execution: Send the request using the
http_requesttool.
6. Test Data Setup
- Install Plugin: Install HUSKY Products Filter <= 1.3.7.3.
- Install WooCommerce: Essential dependency.
- Enable Extension:
# Check current options wp option get woof_settings # The Messenger extension must be in the enabled list - Create Users:
- Admin:
admin(ID 1) - Attacker:
subscriber_user(ID 2, role 'subscriber')
- Admin:
- Create Page: Create a page with
[woof]to ensure frontend scripts load.
7. Expected Results
- HTTP Response: The server should return a successful status (likely
1,success, or a JSON encoded success message). - Database Change: A new subscription entry should appear associated with User ID 1 (Administrator).
8. Verification Steps
- Check User Meta:
Use WP-CLI to inspect the metadata for the target administrator:wp user meta get 1 woof_messenger_subscriptions - Verify Content: Confirm the meta value contains the
subscr_datasent in the exploit payload.
9. Alternative Approaches
- Email-based IDOR: If the plugin uses
user_emailinstead ofuser_id, attempt to pass the Administrator's email address in theuser_emailparameter. - Check
woof_messenger_add_subscr: The action name might slightly vary depending on the version (e.g.,woof_messenger_add_subscrvswoof_add_subscr). Search the codebase forwp_ajax_woof_.*subscr. - Serialized Data: If the subscription fails, the
subscr_datamight need to be a Base64 encoded JSON string or PHP serialized object, mirroring the format the plugin uses internally. Observe a legitimate subscription request first if possible.
Summary
The HUSKY Products Filter plugin is vulnerable to an Insecure Direct Object Reference (IDOR) via the 'woof_add_subscr' AJAX action. Authenticated attackers with subscriber-level permissions can create product messenger subscriptions for any user, including administrators, by supplying an arbitrary user ID in the request.
Vulnerable Code
// ext/messenger/index.php (approximate location based on plugin structure) public function woof_add_subscr() { if (isset($_POST['user_id'])) { $user_id = intval($_POST['user_id']); // Vulnerable: Takes ID directly from input $subscr_data = $_POST['subscr_data']; // No check to verify if the current user has permission to add subscriptions for the target user_id $this->save_subscription($user_id, $subscr_data); wp_die('success'); } }
Security Fix
@@ -10,7 +10,7 @@ public function woof_add_subscr() { - if (isset($_POST['user_id'])) { - $user_id = intval($_POST['user_id']); + if (is_user_logged_in()) { + $user_id = get_current_user_id(); // Fix: Use authenticated user ID instead of POST parameter $subscr_data = $_POST['subscr_data']; $this->save_subscription($user_id, $subscr_data); wp_die('success');
Exploit Outline
The exploit targets the 'woof_add_subscr' AJAX endpoint. An attacker requires a valid Subscriber session and a security nonce typically localized in the 'woof_messenger_vars' JavaScript object on the frontend. By sending a POST request to /wp-admin/admin-ajax.php with the 'action' set to 'woof_add_subscr', the attacker can manipulate the 'user_id' parameter to point to an administrative user (e.g., ID 1). The payload includes subscription criteria in the 'subscr_data' parameter, which the plugin then saves into the target user's metadata without verifying that the requester is authorized to modify that user's subscriptions.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.