CVE-2025-10046 in ELEX WooCommerce Google Shopping Plugin
Summary
by MITRE • 09/06/2025
The ELEX WooCommerce Google Shopping (Google Product Feed) plugin for WordPress is vulnerable to SQL Injection via the 'file_to_delete' parameter in all versions up to, and including, 1.4.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 09/17/2025
The CVE-2025-10046 vulnerability affects the ELEX WooCommerce Google Shopping plugin for WordPress, specifically targeting versions through 1.4.3. This security flaw represents a critical SQL injection vulnerability that exploits insufficient input validation and sanitization within the plugin's codebase. The vulnerability manifests through the 'file_to_delete' parameter, which receives user-supplied input without proper escaping mechanisms. Attackers with administrator-level privileges or higher can leverage this weakness to manipulate existing SQL queries and inject malicious SQL commands.
The technical implementation of this vulnerability stems from the plugin's failure to properly sanitize user input before incorporating it into database queries. According to CWE-89, this represents a classic SQL injection flaw where the application does not adequately escape special characters or use parameterized queries to separate SQL code from data. The vulnerability exists because the plugin directly concatenates the 'file_to_delete' parameter into SQL statements without proper preparation or escaping, creating an environment where malicious input can alter the intended query structure. This weakness aligns with ATT&CK technique T1071.004, which describes the use of application layer protocols to execute malicious commands.
The operational impact of this vulnerability is severe for affected WordPress installations, as it provides authenticated attackers with the capability to extract sensitive information from the database. With administrator-level access, attackers can potentially retrieve user credentials, product information, customer data, and other confidential database contents. The vulnerability's exploitation requires minimal privileges, making it particularly dangerous as it can be leveraged by compromised administrator accounts or attackers who have gained administrative access through other means. This weakness creates a persistent backdoor for data exfiltration and can facilitate further attacks within the compromised environment.
Organizations affected by CVE-2025-10046 should immediately update to the latest version of the ELEX WooCommerce Google Shopping plugin where the vulnerability has been patched. System administrators should implement comprehensive monitoring of database access patterns and query logs to detect potential exploitation attempts. The patch should address the root cause by implementing proper parameterized queries or escaping mechanisms for all user-supplied inputs. Additionally, organizations should conduct thorough security assessments of their WordPress installations to identify other plugins or themes that may exhibit similar vulnerabilities. Network segmentation and least-privilege access controls should be enforced to limit the potential impact of compromised administrator accounts. Regular security audits and vulnerability scanning should be implemented to maintain ongoing protection against similar SQL injection threats.