漏洞描述
HUSKY的WooCommerce插件WordPress产品过滤器专业版存在本地文件包含漏洞,该漏洞存在于所有版本,包括最高版本1.3.6.5,其影响途径是woof_text_search AJAX操作的'template'参数。这使得未经身份验证的攻击者能够在服务器上包含并执行任意文件,允许执行这些文件中的任何PHP代码。这可以用于绕过访问控制,获取敏感数据,或者在上传和包含图像和其他“安全”文件类型的情况下实现代码执行。
HUSKY-WooCommerce /wp-admin/admin-ajax.php 文件包含漏洞 (CVE-2025-1661)
PoC代码
暂无相关漏洞推荐
- WordPress Drag and Drop Multiple File Upload for WooCommerce dnd_codedropz_upload_wc 文件上传漏洞(CVE-2025-4403)
- WordPress Broken Link Notifier /wp-admin/admin-ajax.php blnotifier_blinks 服务器端请求伪造漏洞(CVE-2025-6851)
- POC wp-ajax-load-more-anything-fpd: WordPress Load More Anything - Full Path Disclosure
- POC wp-ajax-search-lite-fpd: WordPress Ajax Search Lite - Full Path Disclosure
- POC wp-woocommerce-admin-fpd: WordPress Plugin WooCommerce Admin (woocommerce-admin) Full Path Disclosure
- 畅捷通-TPlus /tplus/ajaxpro/ASP_sm_setupaccount_versionupdate_selectbackupfileonserver_aspx App_Web_selectbackupfileonserver.aspx.1cbd2a00.ashx 目录遍历漏洞
- POC CVE-2024-4455: YITH WooCommerce Ajax Search <= 2.4.0 - Cross-Site Scripting
- POC wp-yith-woocommerce-wishlist-fpd: WordPress YITH WooCommerce Wishlist - Full Path Disclosure
- WordPress Plugin Alone Theme /wp-admin/admin-ajax.php beplus_import_pack_install_plugin 文件上传漏洞(CVE-2025-5394)
- Ilevia EVE X1 Server /ajax/php/leaf_replace_device.php 命令执行漏洞
- WordPress Time Clock 插件 /wp-admin/admin-ajax.php 代码执行漏洞 (CVE-2024-9593)
- Ilevia EVE X1 Server /ajax/history/get_history_data_odic.php 命令执行漏洞
- WordPress wp-event-solution 插件 /wp-admin/admin-ajax.php 文件读取漏洞(CVE-2025-47445)