CVE-2025-13110 is a medium-severity authorization bypass vulnerability identified in the HUSKY – Products Filter Professional for WooCommerce plugin for WordPress, affecting all versions up to and including 1.3.7.3. The root cause is an Insecure Direct Object Reference (IDOR) vulnerability classified under CWE-639, which occurs in the woof_add_subscr function. This function fails to validate a user-controlled key parameter, allowing authenticated users with subscriber-level privileges or higher to manipulate the creation of product messenger subscriptions on behalf of other users, including administrators. This bypass of authorization controls can lead to unauthorized actions being performed with elevated privileges. The vulnerability is remotely exploitable over the network without user interaction, requiring only low privileges (subscriber level) to exploit. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N) reflects that while confidentiality and availability are not impacted, the integrity of the system can be compromised. No patches or fixes are currently linked, and no known exploits have been reported in the wild as of the publication date. The plugin is widely used in WooCommerce-based e-commerce sites, which are common across Europe, making this a relevant threat to organizations relying on this software for product filtering and subscription management.

For European organizations, this vulnerability poses a risk primarily to the integrity of their WooCommerce-based e-commerce platforms. Attackers with subscriber-level access can create or manipulate product messenger subscriptions on behalf of other users, including administrators, potentially enabling privilege escalation or unauthorized administrative actions. This could lead to unauthorized changes in product subscriptions, manipulation of customer data, or disruption of marketing and communication workflows. While the vulnerability does not directly impact confidentiality or availability, the integrity compromise can facilitate further attacks or fraud, damaging business operations and customer trust. Given the widespread use of WooCommerce in Europe, especially among small to medium-sized enterprises in retail and e-commerce sectors, the threat could affect a broad range of organizations. Additionally, unauthorized administrative actions could be leveraged to implant malicious code or alter site content, increasing the risk of reputational damage and regulatory non-compliance under GDPR if customer data is indirectly affected.

European organizations should immediately audit their WooCommerce installations to identify the presence of the HUSKY – Products Filter Professional plugin and its version. Since no official patch links are currently available, organizations should consider the following specific mitigations: 1) Restrict subscriber-level user capabilities by reviewing and tightening role permissions to limit access to functions related to product subscriptions. 2) Implement Web Application Firewall (WAF) rules to detect and block suspicious requests targeting the woof_add_subscr function or containing user-controlled keys in subscription creation parameters. 3) Monitor logs for unusual subscription creation activities, especially those initiated by subscriber-level accounts. 4) Temporarily disable or replace the vulnerable plugin with alternative product filtering solutions until a patch is released. 5) Engage with the plugin vendor or community to obtain updates or patches as soon as they become available. 6) Educate site administrators and users about the risks of privilege escalation and enforce strong authentication and session management practices to reduce the risk of compromised accounts being exploited.