CVE-2025-13110 MEDIUM

CVE-2025-13110: HUSKY – Products Filter Professional for WooCommerce <= 1.3.7.3 - Authenticated (Subscriber+) Insecure Direct Object Reference via 'woof_add_subscr'

Vendor Realmag777
Product HUSKY – Products Filter Professional for WooCommerce
Weakness CWE-639 · IDOR
Published December 18, 2025
Last update April 8, 2026

CVSS base score

4.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

The HUSKY – Products Filter Professional for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.3.7.3 via the "woof_add_subscr" function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with subscriber level access and above, to create product messenger subscriptions on behalf of arbitrary users, including administrators.

Explanation of Vulnerability in Simple Terms

02Summary

HUSKY – Products Filter Professional for WooCommerce versions up to 1.3.7.3 contain an authorization flaw that allows authenticated users to modify data they should not have access to. An attacker with a low-privilege account can alter plugin settings or product filter configurations through an unprotected endpoint. The vulnerability requires valid site credentials but no additional user interaction.

What an attacker can do

03Attacker Capabilities

Modify product filters or plugin settings without proper authorization.

Potential impact on your site

04Site Impact

Unauthorized users can alter product filter behavior or plugin configuration, potentially disrupting store functionality.

Conditions required to exploit

05Prerequisites

Attacker must have a low-privilege user account on the site.

Key dates

06Disclosure timeline

December 18, 2025 CVE published
April 8, 2026 Record updated

Related vulnerabilities

08Related CVE