vulnerability

WordPress Plugin: woocommerce-products-filter: CVE-2025-13110: Authorization Bypass Through User-Controlled Key

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
4	(AV:N/AC:L/Au:S/C:N/I:P/A:N)	Dec 17, 2025	Dec 18, 2025	Dec 19, 2025

Severity

CVSS

(AV:N/AC:L/Au:S/C:N/I:P/A:N)

Published

Dec 17, 2025

Added

Dec 18, 2025

Modified

Dec 19, 2025

Description

The HUSKY – Products Filter Professional for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.3.7.3 via the "woof_add_subscr" function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with subscriber level access and above, to create product messenger subscriptions on behalf of arbitrary users, including administrators.

Solution

woocommerce-products-filter-plugin-cve-2025-13110

References

URL-https://www.cve.org/CVERecord?id=CVE-2025-13110
URL-https://www.wordfence.com/threat-intel/vulnerabilities/id/9ea2dfc5-0dcc-4ea1-9ade-d59021e078fa?source=api-prod
CVE-2025-13110
https://attackerkb.com/topics/CVE-2025-13110
CWE-639

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today