CVE-2024-7491

Name of the Vulnerable Software and Affected Versions HUSKY – Products Filter Professional for WooCommerce plugin for WordPress versions up to, and including, 1.3.6.1

Description The issue is related to Insecure Direct Object Reference. It affects the plugin via the woof messenger remove subscr AJAX action due to missing validation on the key user-controlled key. This allows authenticated attackers with subscriber-level access and above to unsubscribe users from product notification sign-ups if they can obtain or brute force the key value for users who signed up to receive notifications. The vulnerability requires the plugin's Products Messenger extension to be enabled.

Recommendations For versions up to, and including, 1.3.6.1, consider disabling the woof messenger remove subscr AJAX action or restricting access to the Products Messenger extension until a patch is available. Additionally, restrict the use of the key variable to minimize the risk of exploitation.