cvedb.io
CVE-2024-7491
MEDIUM · CVSS 5.3
EPSS exploitation probability: 0%
Published 2024-09-25T03:15:03.417 · Last modified 2026-06-17T08:20:18.413

Summary

The HUSKY – Products Filter Professional for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.3.6.1 via the woof_messenger_remove_subscr AJAX action due to missing validation on the 'key' user controlled key. This makes it possible for authenticated attackers, with subscriber-level access and above, to unsubscribe users from a product notification sign-ups, if they can successfully obtain or brute force the key value for users who signed up to receive notifications. This vulnerability requires the plugin's Products Messenger extension to be enabled.

Affected products

pluginus — husky_-_products_filter_professional_for_woocommerce

Does this affect you?

Add your gear to cvedb and we'll alert you only when pluginus ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.