Overview

WordPress plugins are vulnerable to critical vulnerabilities. Exploitation of these vulnerabilities may allow an unauthenticated attacker to execute arbitrary code.

Description

WordPress plugins workreap and woocommerce-products-filter are affected by the vulnerabilities tracked as CVE-2025-1315 and CVE-2025-1661 with CVSS scores of 9.8 each. The plugins are vulnerable due to improperly validating a user's identity and Local File Inclusion via the 'template' parameter of the woof_text_search AJAX action. The vulnerabilities allow unauthenticated attackers to bypass access controls, obtain sensitive data, or achieve code execution.

Impact

Successful exploitation of these vulnerabilities may allow the attackers to take control of the affected system.

Solution

WordPress has released security patches for these vulnerabilities. Users and administrators are encouraged to apply necessary updates.

References

• 1. https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/workreap/workreap-325-unauthenticated-privilege-escalation-via-account-takeover
• 2. https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/woocommerce-products-filter/husky-products-filter-professional-for-woocommerce-1365-unauthenticated-local-file-inclusion