CVE-2025-11691 is a SQL Injection vulnerability identified in the PPOM – Product Addons & Custom Fields for WooCommerce plugin, a popular WordPress extension used to add custom fields and product addons in WooCommerce stores. The vulnerability exists in the PPOM_Meta::get_fields_by_id() function due to improper sanitization and escaping of user-supplied input parameters. Specifically, the plugin fails to adequately prepare SQL queries, allowing attackers to append arbitrary SQL commands. This flaw is exploitable only when the 'Enable Legacy Price Calculations' setting is enabled, which alters how pricing data is handled internally. An unauthenticated attacker can exploit this vulnerability remotely without any user interaction, injecting malicious SQL to retrieve sensitive data from the underlying database, such as customer information, order details, or administrative credentials. The CVSS 3.1 score of 7.5 reflects the high impact on confidentiality with no impact on integrity or availability, and the low attack complexity and no required privileges or user interaction. No public exploits have been reported yet, but the vulnerability's characteristics make it a prime target for attackers once weaponized. The plugin is widely used in WooCommerce installations, which are prevalent across many European e-commerce websites, increasing the potential attack surface. The lack of official patches at the time of disclosure necessitates immediate mitigation steps to prevent exploitation.

For European organizations, especially those operating e-commerce platforms using WooCommerce with the PPOM plugin, this vulnerability poses a significant risk to the confidentiality of sensitive customer and business data. Successful exploitation could lead to unauthorized data disclosure, including personal customer information and transactional data, potentially violating GDPR and other data protection regulations. This could result in legal penalties, reputational damage, and loss of customer trust. The vulnerability does not affect data integrity or availability directly but the exposure of confidential data alone is critical. Given the high adoption of WordPress and WooCommerce in Europe, particularly in countries with mature e-commerce markets such as Germany, the UK, France, and the Netherlands, the threat is substantial. Attackers could leverage this vulnerability to conduct further attacks, including identity theft, fraud, or targeted phishing campaigns against affected organizations. The fact that exploitation requires no authentication or user interaction increases the risk of automated scanning and mass exploitation attempts.

European organizations should immediately assess whether they use the PPOM – Product Addons & Custom Fields for WooCommerce plugin and verify the version in use. If the version is 33.0.15 or earlier, they should disable the 'Enable Legacy Price Calculations' setting as a temporary mitigation to prevent exploitation. Monitoring and restricting access to the affected function via web application firewalls (WAFs) with SQL injection detection rules can provide an additional layer of defense. Organizations should stay alert for official patches or updates from the vendor (themeisle) and apply them promptly once released. Conducting thorough security audits and database access monitoring to detect unusual query patterns is advisable. Additionally, implementing least privilege principles for database access and ensuring backups are up to date will help mitigate potential damage. Finally, educating development and security teams about this vulnerability and encouraging timely plugin updates across all WordPress instances is critical to reducing exposure.