CVE-2025-11691 is a SQL Injection vulnerability identified in the PPOM – Product Addons & Custom Fields for WooCommerce plugin for WordPress, specifically in the PPOM_Meta::get_fields_by_id() function. This vulnerability arises from improper neutralization of special elements used in SQL commands (CWE-89), where user-supplied input is insufficiently escaped and the SQL query lacks proper preparation, allowing attackers to append arbitrary SQL commands. The vulnerability affects all versions up to and including 33.0.15 and is exploitable only when the 'Enable Legacy Price Calculations' setting is enabled. Notably, exploitation does not require any authentication or user interaction, making it remotely exploitable by unauthenticated attackers. Successful exploitation can lead to unauthorized extraction of sensitive information from the backend database, compromising confidentiality. The CVSS v3.1 score is 7.5 (high), reflecting network attack vector, low attack complexity, no privileges required, no user interaction, and high confidentiality impact. Although no known exploits are currently reported in the wild, the vulnerability poses a significant risk to WooCommerce-based e-commerce sites using this plugin with legacy price calculations enabled. The lack of prepared statements and insufficient input sanitization are the root causes, highlighting the need for secure coding practices in plugin development. Since the plugin is widely used in WordPress e-commerce environments, the vulnerability could affect a broad range of organizations, especially those handling sensitive customer and transaction data.

For European organizations, this vulnerability poses a significant risk to the confidentiality of sensitive customer and transactional data stored in WooCommerce databases. Exploitation could lead to unauthorized data disclosure, including personal identifiable information (PII), payment details, and business-sensitive information. This can result in regulatory non-compliance under GDPR, leading to legal penalties and reputational damage. The vulnerability's unauthenticated and remote exploitability increases the attack surface, making it easier for threat actors to target vulnerable e-commerce sites. The impact is particularly severe for online retailers and service providers relying on WooCommerce with the affected plugin and legacy price calculations enabled. While integrity and availability are not directly impacted, the loss of confidentiality alone can have cascading effects, including customer trust erosion and financial losses. Additionally, attackers could use extracted data to facilitate further attacks such as phishing or fraud. The absence of known exploits in the wild currently reduces immediate risk but does not eliminate the potential for future exploitation. Organizations must prioritize remediation to protect their data and maintain compliance with European data protection laws.

European organizations should immediately verify if the PPOM – Product Addons & Custom Fields for WooCommerce plugin is installed and identify the version in use. If the version is up to 33.0.15, they should check whether the 'Enable Legacy Price Calculations' setting is enabled; if so, disable this setting as a temporary mitigation to prevent exploitation. Organizations should monitor the plugin vendor’s communications for patches addressing this vulnerability and apply them promptly once available. In the interim, implement web application firewall (WAF) rules to detect and block SQL injection attempts targeting the vulnerable function. Conduct thorough security audits of WooCommerce installations to identify and remediate other potential vulnerabilities. Limit database user permissions to the minimum necessary to reduce the impact of any potential SQL injection. Employ database activity monitoring to detect suspicious query patterns. Educate development and IT teams on secure coding practices, emphasizing the use of prepared statements and proper input sanitization. Regularly back up databases and test restoration procedures to minimize downtime in case of compromise. Finally, maintain up-to-date threat intelligence feeds to stay informed about emerging exploits related to this vulnerability.