A high-severity vulnerability has been identified in the HUSKY – Products Filter Professional for WooCommerce plugin for WordPress. This flaw allows an unauthenticated attacker to steal sensitive information from the website's database, such as customer data, order details, or user credentials, by sending specially crafted requests to the server.

The vulnerability is a blind SQL Injection that exists due to insufficient sanitization of user-supplied input in the phrase parameter. An unauthenticated attacker can craft a malicious request containing specific SQL payloads and send it to the vulnerable parameter. Because the injection is "blind," the attacker does not receive direct data output but can infer the database's contents by observing the application's responses to a series of true/false queries or by inducing time delays, allowing for the gradual exfiltration of sensitive database information.

This vulnerability is rated as High severity with a CVSS score of 7.5. Successful exploitation could lead to a significant data breach, allowing an attacker to access and exfiltrate sensitive information stored in the website's database. This may include customer personally identifiable information (PII), order histories, and potentially hashed user passwords. The consequences of such a breach include reputational damage, loss of customer trust, financial costs associated with incident response, and potential regulatory fines for non-compliance with data protection regulations like GDPR or CCPA.

Immediate Action: Immediately update the HUSKY – Products Filter Professional for WooCommerce plugin to the latest patched version provided by the vendor. After updating, review the plugin's security settings to ensure they are configured correctly. If the plugin is no longer necessary for business operations, it should be deactivated and removed entirely to reduce the attack surface.

Proactive Monitoring: Monitor web server and Web Application Firewall (WAF) logs for suspicious requests targeting the vulnerable phrase parameter. Look for common SQL injection keywords (e.g., SELECT, UNION, SLEEP, BENCHMARK) and patterns of repeated, systematically changing queries. Monitor database logs for an unusual number of errors or slow-performing queries, which can be indicative of time-based blind SQL injection attempts.

Compensating Controls: If immediate patching is not feasible, deploy a Web Application Firewall (WAF) with a robust SQL injection rule set to block malicious requests targeting this vulnerability. Ensure the WAF is in blocking mode and not just logging/alerting. Additionally, restrict database user permissions to follow the principle of least privilege, limiting the potential impact of a successful injection.

Public Exploit Available: false

Given the high severity (CVSS 7.5) and the risk of sensitive data exfiltration, it is strongly recommended that organizations using the affected plugin prioritize applying the vendor-supplied patch immediately. Although there is no current evidence of active exploitation, the public disclosure of this vulnerability increases the likelihood of attack. Organizations should treat this as a critical issue and implement the recommended remediation and monitoring actions to prevent a potential data breach.