The HUSKY – Products Filter Professional for WooCommerce plugin, widely used in WordPress e-commerce sites, contains an authorization bypass vulnerability classified as CWE-639: Authorization Bypass Through User-Controlled Key. This vulnerability exists in all versions up to and including 1.3.7.3 within the 'woof_add_subscr' function. The root cause is an insecure direct object reference (IDOR) due to missing validation on a user-controlled key parameter. This allows authenticated attackers with subscriber-level privileges or higher to manipulate the subscription creation process, effectively impersonating other users, including administrators. By exploiting this flaw, an attacker can create product messenger subscriptions on behalf of arbitrary users, potentially leading to unauthorized notifications, manipulation of subscription data, or further privilege escalation. The vulnerability requires no user interaction beyond authentication and can be exploited remotely over the network. The CVSS 3.1 base score is 4.3, reflecting a low attack complexity and no impact on confidentiality or availability but a partial impact on integrity. No public exploits have been reported yet, but the vulnerability's presence in a popular WooCommerce plugin makes it a notable risk for e-commerce sites relying on this plugin for product filtering and subscription management.

For European organizations operating WooCommerce-based e-commerce platforms using the vulnerable HUSKY plugin, this vulnerability poses a risk of unauthorized manipulation of product messenger subscriptions. Attackers with minimal privileges (subscriber level) can escalate their influence by creating subscriptions on behalf of administrators or other users, potentially leading to unauthorized notifications, phishing attempts, or social engineering attacks leveraging the subscription system. While the vulnerability does not directly expose sensitive data or disrupt availability, the integrity compromise could facilitate further attacks or unauthorized actions within the platform. This could damage customer trust, lead to regulatory scrutiny under GDPR if personal data is indirectly affected, and impact business operations. Given the widespread use of WooCommerce in Europe, especially in countries with strong e-commerce markets like Germany, the UK, France, and the Netherlands, the threat is significant for online retailers relying on this plugin.

1. Immediate upgrade or patching: Organizations should check for updates from the vendor realmag777 and apply any patches or newer versions that address this vulnerability. 2. Access control review: Restrict subscriber-level permissions and audit user roles to minimize unnecessary privileges. 3. Implement Web Application Firewall (WAF) rules to detect and block suspicious requests targeting the 'woof_add_subscr' function or unusual subscription creation patterns. 4. Monitor logs for anomalous subscription creation activities, especially those initiated by subscriber-level accounts. 5. Disable or remove the HUSKY – Products Filter Professional plugin if it is not essential to business operations until a fix is available. 6. Conduct regular security assessments of WordPress plugins and maintain an inventory of installed components to quickly identify vulnerable versions. 7. Educate administrators and users about potential phishing or social engineering risks stemming from unauthorized subscription manipulations.