The HUSKY – Products Filter Professional for WooCommerce plugin for WordPress suffers from a blind SQL Injection vulnerability identified as CVE-2025-11735. This vulnerability exists due to improper neutralization of special elements in SQL commands (CWE-89), specifically in the 'phrase' parameter used by the plugin. The plugin fails to properly escape or prepare the SQL query, allowing an attacker to append malicious SQL code. Since the vulnerability is blind SQL Injection, attackers can infer data from the database by observing application behavior or response times, even though direct query results are not returned. The flaw affects all plugin versions up to and including 1.3.7.1 and requires no authentication or user interaction, making it remotely exploitable over the network. The vulnerability primarily compromises confidentiality by enabling attackers to extract sensitive information from the backend database, such as user data, credentials, or business-critical information. The CVSS v3.1 base score is 7.5, reflecting the ease of exploitation (network vector, no privileges, no user interaction) and the high impact on confidentiality. No patches or fixes are currently linked, and no known exploits have been reported in the wild, but the risk remains significant for affected sites. The vulnerability is particularly concerning for e-commerce platforms relying on WooCommerce and this plugin for product filtering functionality.

The primary impact of CVE-2025-11735 is unauthorized disclosure of sensitive data stored in the WordPress site's database. Attackers can exploit the blind SQL Injection to extract confidential information such as customer details, payment data, or administrative credentials, potentially leading to identity theft, financial fraud, or further compromise of the affected systems. Since the vulnerability does not affect data integrity or availability, it does not allow direct modification or deletion of data or denial of service. However, the loss of confidentiality can have severe reputational and regulatory consequences for organizations, especially those handling personal or payment information. The ease of exploitation without authentication increases the risk of automated scanning and mass exploitation attempts. Organizations running WooCommerce with this plugin are at risk of data breaches, which could lead to legal liabilities and loss of customer trust.

To mitigate CVE-2025-11735, organizations should immediately update the HUSKY – Products Filter Professional for WooCommerce plugin to a patched version once available. In the absence of an official patch, implement the following measures: 1) Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious SQL injection patterns targeting the 'phrase' parameter. 2) Restrict access to the affected plugin endpoints by IP whitelisting or rate limiting to reduce exposure. 3) Conduct thorough input validation and sanitization at the application level, ensuring all user-supplied parameters are properly escaped or parameterized in SQL queries. 4) Monitor logs for unusual database query patterns or repeated failed attempts indicative of blind SQL injection probing. 5) Consider disabling or replacing the vulnerable plugin with alternative product filtering solutions that follow secure coding practices. 6) Regularly back up databases and maintain an incident response plan to quickly address any potential data breaches. These targeted mitigations go beyond generic advice by focusing on the specific vulnerable parameter and plugin context.