CVE-2024-7491 MEDIUM

CVE-2024-7491: HUSKY – Products Filter Professional for WooCommerce <= 1.3.6.1 - Insecure Direct Object Reference to Unsubscribe

Vendor Realmag777
Product HUSKY – Products Filter Professional for WooCommerce
Weakness CWE-862 · Missing authorization
Published September 25, 2024
Last update April 8, 2026
View on NVD All CVEs

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

The HUSKY – Products Filter Professional for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.3.6.1 via the woof_messenger_remove_subscr AJAX action due to missing validation on the 'key' user controlled key. This makes it possible for authenticated attackers, with subscriber-level access and above, to unsubscribe users from a product notification sign-ups, if they can successfully obtain or brute force the key value for users who signed up to receive notifications. This vulnerability requires the plugin's Products Messenger extension to be enabled.

Key dates

02Disclosure timeline

September 25, 2024 CVE published
April 8, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2024-3295 User Registration – Custom Registration Form, Login Form, and User Profile WordPress Plugin <= 3.1.5 - Missing Authorization to Unauthenticated Media Deletion CVE-2026-4003 Users manager – PN <= 1.1.15 - Unauthenticated Privilege Escalation via Account Takeover via 'userspn_form_save' AJAX Action CVE-2025-12165 Webcake – Landing Page Builder <= 1.1 - Missing Authorization to Authenticated (Subscriber+) Settings Update CVE-2025-62883 WordPress Premmerce User Roles plugin <= 1.0.13 - Broken Access Control vulnerability CVE-2026-24322 Missing Authorization check in SAP Solution Tools Plug-In (ST-PI)