CVE-2025-10046
📋 TL;DR
This SQL injection vulnerability in the ELEX WooCommerce Google Shopping plugin allows authenticated administrators to execute arbitrary SQL queries against the WordPress database. Attackers with admin access can extract sensitive information like user credentials, payment data, or other database contents. Only WordPress sites using vulnerable plugin versions are affected.
💻 Affected Systems
- ELEX WooCommerce Google Shopping (Google Product Feed) plugin for WordPress
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise including exfiltration of all user data, credentials, payment information, and potential privilege escalation to full system access.
Likely Case
Data theft of sensitive information from the WordPress database, potentially including user credentials, personal data, and e-commerce transaction details.
If Mitigated
Limited impact due to requiring administrator credentials, with only authorized users potentially exploiting the vulnerability.
🎯 Exploit Status
Exploitation requires administrator-level access to WordPress. SQL injection occurs via the 'file_to_delete' parameter in AJAX requests.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.4.4
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3342699/elex-woocommerce-google-product-feed-plugin-basic/tags/1.4.4/includes/elex-manage-feed-ajax.php
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'ELEX WooCommerce Google Shopping (Google Product Feed)'. 4. Click 'Update Now' if update is available. 5. Alternatively, download version 1.4.4+ from WordPress repository and manually update.
🔧 Temporary Workarounds
Temporary Plugin Deactivation
allDisable the vulnerable plugin until patched
wp plugin deactivate elex-woocommerce-google-product-feed-plugin-basic
Access Restriction
allRestrict admin panel access to trusted IP addresses only
🧯 If You Can't Patch
- Implement strict principle of least privilege for WordPress administrator accounts
- Enable web application firewall with SQL injection protection rules
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for ELEX WooCommerce Google Shopping plugin versionCheck Version:
wp plugin get elex-woocommerce-google-product-feed-plugin-basic --field=versionVerify Fix Applied:
Verify plugin version is 1.4.4 or higher in WordPress admin panel📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in database logs
- Multiple failed login attempts followed by admin access
- AJAX requests to elex-manage-feed-ajax.php with suspicious file_to_delete parameters
Network Indicators:
- POST requests to /wp-admin/admin-ajax.php with action=elex_gpf_delete_feed_file containing SQL syntax in parameters
SIEM Query:
source="web_logs" AND uri="/wp-admin/admin-ajax.php" AND post_data LIKE "%file_to_delete%" AND (post_data LIKE "%UNION%" OR post_data LIKE "%SELECT%" OR post_data LIKE "%INSERT%")🔗 References
- https://plugins.svn.wordpress.org/elex-woocommerce-google-product-feed-plugin-basic/tags/1.4.3/includes/elex-manage-feed-ajax.php#29
- https://plugins.trac.wordpress.org/changeset/3342699/elex-woocommerce-google-product-feed-plugin-basic/tags/1.4.4/includes/elex-manage-feed-ajax.php
- https://www.wordfence.com/threat-intel/vulnerabilities/id/0afe37bb-fa8a-4e7b-93c6-c44b3fbeb904?source=cve
