HUSKY Products Filter Plugin Exposed: CVE-2025-1661 LFI Vulnerability Targets WooCommerce Sites

A critical, unauthenticated Local File Inclusion (LFI) vulnerability has been publicly documented for the HUSKY Products Filter Professional plugin for WooCommerce, designated as CVE-2025-1661. The flaw allows attackers to directly target WordPress sites by sending a malicious POST request to the `/wp-admin/admin-ajax.php` endpoint. Exploitation hinges on manipulating the `template` parameter with directory traversal sequences like `../../..`, potentially enabling unauthorized access to sensitive server files without any login credentials.

The technical detection rule for this exploit reveals the precise attack vector. It specifically monitors requests to the vulnerable admin-ajax endpoint, applying normalization and case-insensitivity transforms. A second condition scrutinizes the `template` argument in the query string for the telltale `'../'` pattern, a method designed to minimize false positives by isolating the relevant parameter. This structured approach indicates the vulnerability is actively being weaponized, with proof-of-concept attack simulations and test templates already circulating in security repositories.

The public release of this detection logic signals immediate risk for any WooCommerce store using the affected HUSKY plugin. While the simulated attack expects a 403 response, confirming rule functionality, the real-world consequence is that unpatched sites are now exposed to automated scanning and potential data exfiltration. This places direct pressure on site administrators and hosting providers to verify plugin versions and apply patches, as the exploit requires no authentication, lowering the barrier for widespread attacks.