CVE Alert: CVE-2025-11691 – themeisle – PPOM – Product Addons & Custom Fields for WooCommerce
CVE-2025-11691
The PPOM – Product Addons & Custom Fields for WooCommerce plugin for WordPress is vulnerable to SQL Injection via the PPOM_Meta::get_fields_by_id() function in all versions up to, and including, 33.0.15 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. This is only exploitable when the Enable Legacy Price Calculations setting is enabled.
AI Summary Analysis
Risk verdict
High risk: unauthenticated, network‑accessible SQL injection that could exfiltrate data if the legacy price calculations feature is enabled; treat as a priority for affected deployments.
Why this matters
The flaw allows attackers to append SQL to existing queries without authentication, potentially exposing sensitive database content. With no user interaction required and a high base score, automated exploitation is plausible where the gating feature is enabled, risking data leakage, compliance exposure, and reputational damage.
Most likely attack path
An unauthenticated attacker targets the affected endpoint, sending crafted input that the plugin fails to escape when the legacy pricing calculation is enabled. Because AV is network, UI and PR are not required, and complexity is low, successful exploitation can read or extract data from the database. Lateral movement would be limited by WP permissions, but data exfiltration of orders, users, or configuration could still occur if the attacker finds exposed data.
Who is most exposed
WordPress sites using WooCommerce with the PPOM addon and the legacy price calculations feature enabled—common in small to mid-size e-commerce deployments, often on shared hosting or standard hosting stacks.
Detection ideas
- Unusual, verbose SQL queries and errors in app or webserver logs tied to the PPOM path.
- Spikes in database read activity or data exfiltration indicators from the WordPress DB.
- Unauthorised access attempts to the affected endpoint from external sources.
- Alerts for changes or toggling of the Legacy Price Calculations setting.
- WAF/SIEM flags for SQLi patterns targeting the plugin.
Mitigation and prioritisation
- Apply patch to the latest plugin version addressing the flaw; verify update is effective.
- Disable the Legacy Price Calculations feature if not required.
- Implement least-privilege database accounts for WordPress and restrict direct DB access.
- Enable WAF rules or SQLi protections specific to the affected endpoints; monitor for injection patterns.
- Plan testing and rollout in staging before production; maintain backups and change-control records.
Support Our Work
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on Patreon or Buy Me A Coffee using the buttons below.
