CVE-2025-10046 is a medium-severity SQL Injection vulnerability affecting the ELEX WooCommerce Google Shopping (Google Product Feed) plugin for WordPress, specifically all versions up to and including 1.4.3. The vulnerability arises from improper neutralization of special elements used in SQL commands (CWE-89). The issue is located in the handling of the 'file_to_delete' parameter, which is insufficiently escaped and lacks proper preparation in the SQL query construction. This flaw allows an authenticated attacker with Administrator-level privileges or higher to inject additional SQL queries into existing database queries. Consequently, the attacker can extract sensitive information from the backend database, potentially exposing customer data, order details, or other confidential information stored within the WordPress/WooCommerce environment. The vulnerability requires no user interaction but does require high privileges (administrator or above), and it is remotely exploitable over the network. The CVSS v3.1 base score is 4.9, reflecting a medium severity primarily due to the requirement for elevated privileges and the lack of impact on integrity or availability. No known exploits are currently reported in the wild, and no official patches or updates have been linked yet. However, the presence of this vulnerability in a widely used e-commerce plugin poses a significant risk if exploited, especially in environments where plugin updates are delayed or administrators have weak internal controls.

For European organizations, especially those operating e-commerce platforms using WooCommerce with the ELEX Google Shopping plugin, this vulnerability could lead to unauthorized disclosure of sensitive customer and business data. This exposure can result in privacy violations under GDPR, leading to regulatory fines and reputational damage. The ability to extract database information could also facilitate further attacks, such as credential theft or fraud. Since the vulnerability requires administrator-level access, the risk is heightened if internal accounts are compromised or if malicious insiders exist. The impact is particularly critical for organizations handling large volumes of personal data or payment information. Additionally, data leakage could undermine customer trust and result in financial losses. Given the widespread use of WooCommerce in Europe, the vulnerability could affect small to medium-sized enterprises that may lack robust security monitoring and patch management processes.

1. Immediate mitigation involves restricting administrator access strictly to trusted personnel and enforcing strong authentication mechanisms such as multi-factor authentication (MFA) to reduce the risk of privilege abuse. 2. Monitor and audit administrator activities and access logs for suspicious behavior related to the 'file_to_delete' parameter or unusual database queries. 3. Until an official patch is released, consider disabling or removing the ELEX WooCommerce Google Shopping plugin if feasible, or restrict its usage to non-critical environments. 4. Implement Web Application Firewall (WAF) rules that detect and block SQL injection patterns targeting the vulnerable parameter. 5. Regularly update WordPress, WooCommerce, and all plugins to their latest versions once patches become available. 6. Conduct security awareness training for administrators to recognize and prevent potential exploitation attempts. 7. Employ database activity monitoring tools to detect anomalous query patterns that may indicate exploitation attempts. 8. Review and harden database user permissions to limit the scope of data accessible by the WordPress application user.