The vulnerability identified as CVE-2025-13110 affects the HUSKY – Products Filter Professional for WooCommerce plugin, a WordPress extension widely used for product filtering and subscription management in e-commerce stores. The issue stems from an insecure direct object reference (CWE-639) caused by insufficient validation of a user-controlled key parameter within the "woof_add_subscr" function. This function is responsible for adding product messenger subscriptions. Because the plugin fails to verify the legitimacy of the user key, authenticated users with low-level privileges (subscriber or above) can manipulate this parameter to create subscriptions on behalf of other users, including those with administrative privileges. This bypasses intended authorization controls, potentially allowing privilege escalation or unauthorized actions within the WooCommerce environment. The vulnerability does not require user interaction and can be exploited remotely over the network (AV:N), with low attack complexity (AC:L). The impact primarily affects data integrity, as unauthorized subscription creation could be used to manipulate user data or trigger unintended behaviors in the system. The vulnerability affects all versions up to and including 1.3.7.3, with no patches currently available. Although no known exploits have been reported in the wild, the presence of this flaw in a popular e-commerce plugin makes it a significant risk for affected sites.

This vulnerability can lead to unauthorized actions performed under the guise of other users, including administrators, which undermines the integrity of the affected WooCommerce stores. Attackers with subscriber-level access could abuse this flaw to create subscriptions that may trigger notifications, promotions, or other automated workflows, potentially causing confusion, reputational damage, or indirect financial impact. While confidentiality and availability are not directly affected, the ability to impersonate higher-privileged users could be leveraged in combination with other vulnerabilities to escalate privileges or disrupt normal operations. For organizations relying on WooCommerce and this plugin, especially those with large user bases or sensitive e-commerce data, this vulnerability represents a moderate risk that could facilitate further attacks or unauthorized modifications within their environment.

To mitigate this vulnerability, organizations should immediately restrict subscriber-level users from accessing subscription creation functionalities until a patch is available. Implement strict server-side validation of all user-controlled keys in the "woof_add_subscr" function to ensure that subscription actions can only be performed on behalf of the authenticated user or authorized roles. Employ role-based access controls (RBAC) to limit permissions for subscription management to trusted user roles only. Monitor logs for unusual subscription creation activities that may indicate exploitation attempts. Additionally, maintain up-to-date backups and consider deploying web application firewalls (WAFs) with custom rules to detect and block suspicious requests targeting this plugin. Finally, track vendor updates closely and apply patches promptly once released.