CVE-2024-1795 in Husky Plugininfo

Summary

by MITRE • 03/15/2024

The HUSKY – Products Filter for WooCommerce Professional plugin for WordPress is vulnerable to SQL Injection via the 'name' parameter in the woof shortcode in all versions up to, and including, 1.3.5.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 04/13/2026

The vulnerability identified as CVE-2024-1795 affects the HUSKY – Products Filter for WooCommerce Professional plugin, a widely used WordPress extension that enables advanced product filtering capabilities within WooCommerce stores. This plugin version 1.3.5.2 and earlier contains a critical SQL injection flaw that compromises database security through improper input validation and sanitization practices. The vulnerability specifically manifests when processing the 'name' parameter within the woof shortcode functionality, which is commonly used to display product filters on WooCommerce product pages. The flaw represents a significant security weakness that directly impacts the integrity and confidentiality of e-commerce data stored within WordPress databases.

The technical exploitation of this vulnerability occurs through insufficient escaping of user-supplied parameters within the plugin's database query construction process. The 'name' parameter in the woof shortcode fails to undergo proper sanitization before being incorporated into SQL queries, allowing attackers to inject malicious SQL fragments that become part of existing database operations. This lack of input validation creates a condition where authenticated users with contributor-level privileges or higher can manipulate the SQL execution flow to perform unauthorized database operations. The vulnerability stems from inadequate preparation of SQL queries and demonstrates poor secure coding practices that violate fundamental database security principles.

The operational impact of CVE-2024-1795 extends beyond simple data theft, as authenticated attackers can leverage this vulnerability to extract sensitive information from the WordPress database through carefully crafted SQL injection payloads. Attackers with contributor-level access or higher can potentially access customer information, product details, order histories, and other confidential data stored within the WooCommerce database. This vulnerability undermines the trust model of WordPress-based e-commerce systems and could lead to significant financial and reputational damage for affected businesses. The attack vector is particularly concerning because it requires minimal privilege escalation and can be executed through legitimate plugin functionality.

Security mitigations for this vulnerability should prioritize immediate plugin updates to versions that address the SQL injection flaw through proper input sanitization and parameterized query construction. Organizations should implement network-level restrictions to limit access to WordPress admin interfaces and enforce strict role-based access controls to prevent unauthorized privilege escalation. Additionally, database query monitoring and intrusion detection systems should be deployed to identify suspicious SQL execution patterns that may indicate exploitation attempts. This vulnerability aligns with CWE-89 which describes SQL injection flaws, and represents a clear violation of ATT&CK technique T1071.004 for application layer protocol manipulation, making it a critical priority for immediate remediation across all affected WordPress installations.

Responsible

Wordfence

Reservation

02/22/2024

Disclosure

03/15/2024

Moderation

accepted

CPE

ready

EPSS

0.00565

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!