HUSKY Products Filter for WooCommerce CVE-2025-11735 Blind SQL Injection – Brief Summary and Patch Guidance

Introduction

Sensitive WooCommerce customer data can be extracted by unauthenticated attackers if your store is running an outdated version of the HUSKY Products Filter Professional for WooCommerce plugin. This vulnerability, tracked as CVE-2025-11735, enables blind SQL injection through the product search interface, putting WordPress e-commerce sites at risk of data exposure and manipulation.

HUSKY Products Filter Professional for WooCommerce is a widely used WordPress plugin with over 100,000 active installations. It provides advanced product filtering capabilities for WooCommerce stores, making it a staple for many online retailers seeking customizable search and filter options.

Technical Information

CVE-2025-11735 is a blind SQL injection vulnerability affecting all versions of the HUSKY Products Filter Professional for WooCommerce plugin up to and including 1.3.7.1. The root cause is insufficient escaping and lack of proper SQL query preparation when handling the phrase parameter in the plugin's text filtering functionality. This allows unauthenticated attackers to inject additional SQL statements into backend queries, potentially extracting sensitive information from the WordPress database.

The vulnerable code is located in the following file and line:

• /ext/by_text_2/index.php at line 164 (reference)

The plugin constructs SQL queries by directly incorporating user-supplied input from the phrase parameter without sufficient sanitization or use of parameterized queries. This enables both boolean-based and time-based blind SQL injection techniques. Attackers can infer database content by observing differences in application behavior or response times, even though direct data output is not available.

The vulnerability is unauthenticated, meaning any site visitor can exploit it without logging in. This dramatically increases the risk profile for affected WooCommerce installations.

Patch Information

The developers of the HUSKY Products Filter Professional for WooCommerce plugin have addressed this vulnerability in version 1.3.7.1, with further security improvements in 1.3.7.2. Users must update to at least version 1.3.7.1 to remediate CVE-2025-11735. The changelog and update details are available on the WordPress.org plugin page.

Affected Systems and Versions

• Product: HUSKY Products Filter Professional for WooCommerce (formerly WOOF)
• Affected versions: All versions up to and including 1.3.7.1
• Vulnerable configuration: Any WordPress installation with the affected plugin version active

Vendor Security History

The HUSKY Products Filter Professional for WooCommerce plugin has a documented history of security issues, including multiple SQL injection vulnerabilities (e.g., CVE-2024-6457, CVE-2023-40010) and other flaws such as XSS and access control weaknesses. The vendor has released patches in response to reported issues, but the recurrence of similar vulnerabilities suggests that secure coding practices and systematic code reviews have not been consistently applied across the codebase.

References

• NVD entry for CVE-2025-11735
• WordPress plugin source code reference
• Wordfence vulnerability advisory
• Official plugin changelog and patch information