The HUSKY – Products Filter Professional for WooCommerce plugin for WordPress suffers from a stored cross-site scripting vulnerability (CWE-79) in its 'woof' shortcode implementation. Specifically, user-supplied attributes like 'swoof_slug' are not properly sanitized or escaped before being rendered in web pages. This allows authenticated users with contributor-level or higher permissions to inject arbitrary JavaScript code that executes in the context of users visiting the affected pages. The vulnerability affects all versions up to 1.3.5.1. The CVSS 3.1 base score is 6.4 (medium severity), reflecting network attack vector, low attack complexity, privileges required at low level, no user interaction, and partial impact on confidentiality and integrity but no impact on availability. No patch or official fix has been documented yet.

An attacker with contributor-level or higher permissions can inject malicious scripts into pages via the vulnerable shortcode attributes. These scripts execute in the browsers of users who visit the injected pages, potentially leading to theft of session tokens, defacement, or other client-side attacks. The impact is limited to confidentiality and integrity with no availability impact. Since the attacker must have authenticated access with contributor or higher privileges, the risk is reduced compared to unauthenticated attacks but remains significant in environments where such roles are assigned broadly.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, limit contributor-level and higher permissions to trusted users only. Consider disabling or removing the vulnerable plugin if possible. Monitor for plugin updates from realmag777 that address this vulnerability and apply them promptly once available.