SQL Injection Vulnerability in PPOM – Product Addons & Custom Fields for WooCommerce Plugin
CVE-2025-11691

7.5HIGH

Key Information:

Vendor: WordPress
Status: Ppom – Product Addons & Custom Fields For WooCommerce
Vendor: CVE Published:; 18 October 2025

What is CVE-2025-11691?

The PPOM – Product Addons & Custom Fields for WooCommerce plugin for WordPress contains a vulnerability that allows SQL injection through the PPOM_Meta::get_fields_by_id() function. This issue arises in all versions up to 33.0.15 due to inadequate escaping of user-supplied parameters and insufficient preparation of SQL queries. Unauthenticated attackers can exploit this vulnerability, especially when the 'Enable Legacy Price Calculations' setting is active, to inject additional SQL commands that might extract sensitive database information. Mitigation of this vulnerability is essential to ensure database integrity and protect user data.

Affected Version(s)

PPOM – Product Addons & Custom Fields for WooCommerce * <= 33.0.15

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/woocommerce-pr...

https://plugins.trac.wordpress.org/changeset?sfp_email=&s...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 18, 2025
Vulnerability Reserved
Oct 13, 2025

Credit

Talal Nasraddeen

JSON