Medium severity4.3NVD Advisory· Published Dec 3, 2025· Updated Apr 15, 2026

CVE-2025-13109

Description

The HUSKY – Products Filter Professional for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.3.7.2 via the "woof_add_query" and "woof_remove_query" functions due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with subscriber level access and above, to insert or remove arbitrary saved search queries into any user's profile, including administrators.

Affected products

WordPress/Products Filter Professional For Woocommerceinferred
Range: <=1.3.7.2
Package: https://wordpress.org/plugins/products-filter-professional-for-woocommerce

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

plugins.trac.wordpress.org/changeset/3400527nvd
www.wordfence.com/threat-intel/vulnerabilities/id/9effc186-c225-4b3b-9b8c-c453505a41denvd

News mentions

No linked articles in our index yet.

cvss	0.280
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000