CVE-2025-11691 identifies a SQL Injection vulnerability in the PPOM – Product Addons & Custom Fields for WooCommerce plugin for WordPress, specifically within the PPOM_Meta::get_fields_by_id() function. This vulnerability arises from improper neutralization of special elements in SQL commands (CWE-89), where user input is insufficiently escaped and the SQL query is not properly prepared, allowing attackers to append arbitrary SQL commands. The vulnerability affects all plugin versions up to and including 33.0.15. Exploitation is conditional on the 'Enable Legacy Price Calculations' setting being enabled, which likely alters the code path to the vulnerable function. The attack vector is remote and requires no authentication or user interaction, making it highly accessible to attackers. Successful exploitation can lead to unauthorized extraction of sensitive information from the WordPress database, compromising confidentiality. The CVSS v3.1 score is 7.5 (high), reflecting the ease of exploitation and the impact on confidentiality, while integrity and availability remain unaffected. No patches or known exploits have been reported at the time of publication, but the vulnerability poses a significant risk to affected sites, especially e-commerce platforms relying on this plugin for product customization and pricing.

The primary impact of this vulnerability is the potential unauthorized disclosure of sensitive data stored in the WordPress database, including customer information, product details, and possibly payment-related data if stored insecurely. Since the vulnerability allows unauthenticated remote attackers to execute arbitrary SQL queries, it can lead to data breaches without requiring user credentials or interaction. This undermines the confidentiality of the affected systems. Although integrity and availability are not directly impacted, the exposure of sensitive data can lead to reputational damage, regulatory penalties (e.g., GDPR, CCPA), and financial losses for organizations. E-commerce sites using the vulnerable plugin with legacy price calculations enabled are particularly at risk, as attackers can exploit this to gain competitive intelligence or customer data. The widespread use of WooCommerce and the plugin in various countries increases the potential attack surface globally.

Organizations should immediately verify if the 'Enable Legacy Price Calculations' setting is enabled in their PPOM plugin configuration and disable it if not required, as this setting gatekeeps the vulnerability. If disabling the setting is not feasible, they should monitor for updates from ThemeIsle and apply patches as soon as they are released. In the absence of an official patch, applying Web Application Firewall (WAF) rules to detect and block SQL injection patterns targeting the vulnerable function can reduce risk. Regularly audit and sanitize all user inputs and consider implementing parameterized queries or prepared statements in custom plugin code. Additionally, restrict database user permissions to the minimum necessary to limit the impact of any injection. Monitoring logs for suspicious SQL query patterns and unusual database access can help detect exploitation attempts early. Finally, maintain regular backups and have an incident response plan ready in case of compromise.