CVE Alert: CVE-2025-11735 - realmag777 - HUSKY – Products Filter Professional for WooCommerce

CVE-2025-11735

HIGHNo exploitation known

The HUSKY – Products Filter Professional for WooCommerce plugin for WordPress is vulnerable to blind SQL Injection via the `phrase` parameter in all versions up to, and including, 1.3.7.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

CVSS v3.1 (7.5)

Vendor

realmag777

Product

HUSKY – Products Filter Professional for WooCommerce

Versions

* lte 1.3.7.1

CWE

CWE-89, CWE-89 Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Published

2025-10-28T05:27:30.225Z

Updated

2025-10-28T13:33:05.054Z

References

https://www.wordfence.com/threat-intel/vulnerabilities/id/ebaec880-0d1c-4725-a746-530f48821279?source=cve

https://plugins.trac.wordpress.org/browser/woocommerce-products-filter/trunk/ext/by_text_2/index.php#L164

AI Summary Analysis

Risk verdict

High severity: unauthenticated remote SQL injection could expose sensitive data; current exploitation indicators are not confirmed in the wild.

Why this matters

The vulnerability affects all versions up to 1.3.7.1 of a WooCommerce filter plugin, enabling attackers to append SQL to a user-supplied phrase parameter without authentication. That could lead to data disclosure from the database, including potentially customer and product information, with all the business and regulatory implications.

Most likely attack path

Network-accessible REST/endpoint call to the vulnerable phrase parameter, no authentication required, and no user interaction needed. The attacker can read data via injected queries, but integrity and availability are not directly impacted. The attack relies on insufficient input sanitisation and lack of prepared statements; successful exploitation hinges on the web application allowing unpatched SQL execution paths.

Who is most exposed

WordPress sites with the HUSKY – Products Filter Professional for WooCommerce plugin installed, especially in shared hosting or environments with minimal patch cadence and exposed database access.

Detection ideas

Unusual query strings in requests to the phrase parameter showing SQL-like syntax (UNION, information_schema, etc.).
Database error messages or anomalous responses linked to filtered endpoints.
WAF/IPS alerts on SQL injection patterns targeting this plugin.
Sudden spikes in data transfer from the database or unexpected data returned in plugin-related endpoints.

Mitigation and prioritisation

Patch to a version beyond 1.3.7.1 as soon as available; validate compatibility with WooCommerce.
If patching is delayed, disable or remove the plugin; apply compensating controls (WAF rules, stricter input validation).
Implement monitoring for anomalous data exfiltration and database access.
Conduct a data inventory and review access logs; ensure regular backups.
If KEV is present or EPSS ≥ 0.5, treat as priority 1; otherwise, target a high-priority patch window (priority 2) with testing.

Support Our Work

A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on Patreon or Buy Me A Coffee using the buttons below.

AI APIs OSINT driven New features

Buy Me A Coffee Patreon

Tags: CVE, cve-2025-11735, husky-products-filter-professional-for-woocommerce, OSINT, realmag777, threatintel