CVE-2025-10046 identifies an SQL Injection vulnerability in the ELEX WooCommerce Google Shopping (Google Product Feed) plugin for WordPress, present in all versions up to and including 1.4.3. The vulnerability arises from improper neutralization of special elements in the 'file_to_delete' parameter, which is used in SQL queries without sufficient escaping or parameterization. This allows an attacker with authenticated Administrator-level access or higher to append arbitrary SQL commands to existing queries. The flaw is classified under CWE-89, indicating improper input validation leading to injection attacks. Exploiting this vulnerability can enable attackers to extract sensitive information from the backend database, such as user data, credentials, or business-critical information. The CVSS 3.1 base score is 4.9 (medium severity), reflecting the requirement for high privileges (PR:H), network attack vector (AV:N), no user interaction (UI:N), and impact limited to confidentiality (C:H) without affecting integrity or availability. No patches or exploits are currently publicly available, but the vulnerability poses a risk to websites using this plugin, especially those with high-value data. The vulnerability's exploitation requires administrative access, which limits exposure but still represents a serious risk if an attacker gains such privileges through other means.

The primary impact of this vulnerability is unauthorized disclosure of sensitive data stored in the WordPress site's database, including potentially customer information, order details, and other confidential business data. Since the vulnerability requires Administrator-level access, the risk is elevated if an attacker can compromise or collude with an admin account. The integrity and availability of the system are not directly affected, but data confidentiality breaches can lead to reputational damage, regulatory penalties (e.g., GDPR), and financial loss. For organizations running WooCommerce stores with this plugin, especially those handling large volumes of customer data or operating in regulated industries, the vulnerability could facilitate data exfiltration by malicious insiders or attackers who have escalated privileges. The lack of known exploits reduces immediate risk, but the presence of this vulnerability in a widely used e-commerce plugin means it could become a target once exploit code is developed.

Organizations should immediately verify if they use the ELEX WooCommerce Google Shopping (Google Product Feed) plugin and identify the installed version. Since no official patch links are provided yet, administrators should consider the following mitigations: (1) Restrict Administrator-level access strictly to trusted personnel and enforce strong authentication mechanisms such as MFA to reduce the risk of privilege abuse. (2) Implement Web Application Firewalls (WAFs) with custom rules to detect and block suspicious SQL injection patterns targeting the 'file_to_delete' parameter. (3) Monitor logs for unusual database query activity or unexpected parameter values related to this plugin. (4) If possible, temporarily disable or remove the plugin until a patched version is released. (5) Follow vendor announcements closely for updates or patches and apply them promptly. (6) Conduct regular security audits and vulnerability scans focusing on WordPress plugins to detect similar issues proactively. (7) Employ principle of least privilege for database accounts used by WordPress to limit data exposure in case of injection.