CVE-2025-10046 is a medium-severity SQL Injection vulnerability affecting the ELEX WooCommerce Google Shopping (Google Product Feed) plugin for WordPress, specifically versions up to and including 1.4.3. The vulnerability arises from improper neutralization of special elements used in SQL commands (CWE-89) within the 'file_to_delete' parameter. Due to insufficient escaping and lack of prepared statements or parameterized queries, an authenticated attacker with Administrator-level privileges or higher can inject malicious SQL code by appending additional queries to the existing SQL commands. This flaw allows the attacker to extract sensitive information from the underlying database, potentially exposing customer data, order details, or other confidential business information stored within the WooCommerce environment. The vulnerability requires no user interaction beyond having high-level access, and the attack vector is network-based (remote exploitation). Although the CVSS score is 4.9 (medium), the impact on confidentiality is high, while integrity and availability remain unaffected. No known exploits are currently reported in the wild, and no official patches have been linked yet. The vulnerability is significant because WooCommerce is a widely used e-commerce platform, and plugins like ELEX Google Shopping are popular for product feed management, making this a relevant risk for online retailers using WordPress in their infrastructure.

For European organizations, particularly e-commerce businesses relying on WooCommerce and the ELEX Google Shopping plugin, this vulnerability poses a risk of unauthorized data disclosure. Attackers with administrator access could leverage this flaw to extract sensitive customer information, including personal data protected under GDPR, leading to regulatory penalties and reputational damage. The breach of confidential business data could also facilitate further attacks such as phishing or fraud. Although exploitation requires administrator privileges, insider threats or compromised admin accounts could be leveraged. The impact is particularly critical for organizations handling large volumes of customer transactions or sensitive payment information. Additionally, the exposure of such data could undermine customer trust and lead to financial losses. Since the vulnerability does not affect data integrity or availability, the primary concern remains confidentiality breaches. European organizations must consider the GDPR implications of any data leakage resulting from this vulnerability.

1. Immediate mitigation involves restricting administrator access strictly to trusted personnel and enforcing strong authentication mechanisms such as multi-factor authentication (MFA) to reduce the risk of credential compromise. 2. Monitor and audit administrator activities and access logs for suspicious behavior indicative of exploitation attempts. 3. Until an official patch is released, consider disabling or removing the ELEX WooCommerce Google Shopping plugin if it is not critical to business operations. 4. For organizations that must continue using the plugin, implement Web Application Firewall (WAF) rules to detect and block SQL injection patterns targeting the 'file_to_delete' parameter. 5. Review and harden database permissions to limit the scope of data accessible by the WordPress application user. 6. Once available, promptly apply vendor patches or updates addressing this vulnerability. 7. Conduct regular security assessments and penetration testing focused on plugin vulnerabilities and SQL injection risks. 8. Educate administrators about the risks of SQL injection and the importance of secure plugin management.