UNKNOWN (0.0)
    Plugin

    SQL Injection Vulnerability in PPOM WooCommerce Plugin

    Published Date: 10/18/2025
    CVE ID: CVE-2025-11691

    Summary

    The PPOM – Product Addons & Custom Fields for WooCommerce plugin is affected by an SQL Injection vulnerability in all versions up to 33.0.15. This vulnerability stems from improper input handling in the `PPOM_Meta::get_fields_by_id()` function, which could allow unauthorized users to perform malicious SQL queries if a specific setting is enabled.

    Vulnerability Details

    The vulnerability resides in the PPOM WooCommerce plugin, specifically in the function `PPOM_Meta::get_fields_by_id()`. This function fails to properly escape and sanitize user-supplied input, leading to a potential SQL Injection flaw. Exploits of this kind allow attackers to manipulate database queries, potentially exposing sensitive information, including user data stored in the database. The risk is notably higher when the 'Enable Legacy Price Calculations' setting is activated, as this enables the vulnerable component. The core issue is a lack of sufficient input sanitization and query preparation, which makes the SQL queries susceptible to injection attacks. In a system where this plugin is utilized without adequate security measures, attackers can gain unauthorized access to critical data, leading to severe data breaches.

    Recommendations

    To mitigate this vulnerability, users should immediately disable the 'Enable Legacy Price Calculations' setting within the plugin settings if it is not essential. Implementing a web application firewall (WAF) can help detect and block SQL injection attempts. Additionally, restricting database permissions to only what is necessary can reduce impact potential. Regularly audit plugin installations to ensure all components are up-to-date and monitor for any suspicious activity.

    Available Fixes

    Last Updated: 10/19/2025
    Jedar

    Jedar for Digital Rights is a non-profit organization dedicated to protecting digital freedoms, enhancing online privacy, and promoting secure digital practices for vulnerable communities worldwide.

    Follow Us

    All Rights Reserved © 2025 Jedar for Digital Rights.

    Cookie Preferences

    We use cookies to enhance your browsing experience, serve personalized ads or content, and analyze our traffic. By clicking "Accept All", you consent to our use of cookies.

    Learn More