From 89670255869c763538284489ec50ec3499a980d5 Mon Sep 17 00:00:00 2001 From: crowdsec-automation <63358111+crowdsec-automation@users.noreply.github.com> Date: Wed, 15 Apr 2026 15:13:31 +0200 Subject: [PATCH 1/4] Add vpatch-CVE-2025-1661 rule --- .../crowdsecurity/vpatch-CVE-2025-1661.yaml | 35 +++++++++++++++++++ 1 file changed, 35 insertions(+) create mode 100644 appsec-rules/crowdsecurity/vpatch-CVE-2025-1661.yaml diff --git a/appsec-rules/crowdsecurity/vpatch-CVE-2025-1661.yaml b/appsec-rules/crowdsecurity/vpatch-CVE-2025-1661.yaml new file mode 100644 index 00000000000..b7bab39297e --- /dev/null +++ b/appsec-rules/crowdsecurity/vpatch-CVE-2025-1661.yaml @@ -0,0 +1,35 @@ +## autogenerated on 2026-04-15 13:13:28 +name: crowdsecurity/vpatch-CVE-2025-1661 +description: 'Detects unauthenticated local file inclusion in HUSKY Products Filter Professional for WooCommerce via the template parameter.' +rules: + - and: + - zones: + - URI + transform: + - lowercase + - urldecode + match: + type: contains + value: /wp-admin/admin-ajax.php + - zones: + - ARGS + variables: + - template + transform: + - lowercase + - urldecode + match: + type: contains + value: '../' + +labels: + type: exploit + service: http + confidence: 3 + spoofable: 0 + behavior: 'http:exploit' + label: 'HUSKY Products Filter Professional - LFI' + classification: + - cve.CVE-2025-1661 + - attack.T1190 + - cwe.CWE-22 From 950e7ffcb166a2561e41fb617d3ec72f4b83d727 Mon Sep 17 00:00:00 2001 From: crowdsec-automation <63358111+crowdsec-automation@users.noreply.github.com> Date: Wed, 15 Apr 2026 15:13:33 +0200 Subject: [PATCH 2/4] Add vpatch-CVE-2025-1661 test config --- .appsec-tests/vpatch-CVE-2025-1661/config.yaml | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 .appsec-tests/vpatch-CVE-2025-1661/config.yaml diff --git a/.appsec-tests/vpatch-CVE-2025-1661/config.yaml b/.appsec-tests/vpatch-CVE-2025-1661/config.yaml new file mode 100644 index 00000000000..df1db1efb5c --- /dev/null +++ b/.appsec-tests/vpatch-CVE-2025-1661/config.yaml @@ -0,0 +1,5 @@ +## autogenerated on 2026-04-15 13:13:28 +appsec-rules: + - ./appsec-rules/crowdsecurity/base-config.yaml + - ./appsec-rules/crowdsecurity/vpatch-CVE-2025-1661.yaml +nuclei_template: CVE-2025-1661.yaml From c834466dd1fe9fd946485d779460cc10e3ec2369 Mon Sep 17 00:00:00 2001 From: crowdsec-automation <63358111+crowdsec-automation@users.noreply.github.com> Date: Wed, 15 Apr 2026 15:13:35 +0200 Subject: [PATCH 3/4] Add CVE-2025-1661.yaml test --- .../vpatch-CVE-2025-1661/CVE-2025-1661.yaml | 21 +++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 .appsec-tests/vpatch-CVE-2025-1661/CVE-2025-1661.yaml diff --git a/.appsec-tests/vpatch-CVE-2025-1661/CVE-2025-1661.yaml b/.appsec-tests/vpatch-CVE-2025-1661/CVE-2025-1661.yaml new file mode 100644 index 00000000000..2d25240e667 --- /dev/null +++ b/.appsec-tests/vpatch-CVE-2025-1661/CVE-2025-1661.yaml @@ -0,0 +1,21 @@ +## autogenerated on 2026-04-15 13:13:28 +id: CVE-2025-1661 +info: + name: CVE-2025-1661 + author: crowdsec + severity: info + description: CVE-2025-1661 testing + tags: appsec-testing +http: + - raw: + - | + POST /wp-admin/admin-ajax.php?template=../../../../../../../wp-config&value=a&min_symbols=1 HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded; charset=UTF-8 + + action=woof_text_search& + cookie-reuse: true + matchers: + - type: status + status: + - 403 From 80e777b85d43fe56d51c29327412c743f50f39c9 Mon Sep 17 00:00:00 2001 From: crowdsec-automation <63358111+crowdsec-automation@users.noreply.github.com> Date: Wed, 15 Apr 2026 15:13:37 +0200 Subject: [PATCH 4/4] Add vpatch-CVE-2025-1661 rule to vpatch collection --- collections/crowdsecurity/appsec-virtual-patching.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/collections/crowdsecurity/appsec-virtual-patching.yaml b/collections/crowdsecurity/appsec-virtual-patching.yaml index 7ccf9a8bf03..a9869a5a03d 100644 --- a/collections/crowdsecurity/appsec-virtual-patching.yaml +++ b/collections/crowdsecurity/appsec-virtual-patching.yaml @@ -82,6 +82,7 @@ appsec-rules: - crowdsecurity/vpatch-CVE-2024-27956 - crowdsecurity/vpatch-CVE-2024-27954 - crowdsecurity/vpatch-CVE-2024-0012 +- crowdsecurity/vpatch-CVE-2025-1661 - crowdsecurity/vpatch-CVE-2024-9474 - crowdsecurity/vpatch-CVE-2024-7593 - crowdsecurity/vpatch-CVE-2024-52301