Description
The ELEX WooCommerce Google Shopping (Google Product Feed) plugin for WordPress is vulnerable to SQL Injection via the 'file_to_delete' parameter in all versions up to, and including, 1.4.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Published: 2025-09-06
Score: 4.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection through file_to_delete for Administrators
Action: Patch Plugin
AI Analysis

Impact

The ELEX WooCommerce Google Shopping plugin contains an SQL Injection flaw in the file_to_delete parameter. The parameter is concatenated into SQL statements without proper escaping or prepared statements, allowing an administrator to inject arbitrary SQL. This can reveal sensitive data stored in the WordPress database, including customer details and product information, by creating additional SELECT or UPDATE clauses.

Affected Systems

The bug affects all installations of the WordPress plugin ELEX WooCommerce Google Shopping (Google Product Feed) with versions up to and including 1.4.3. Any site running these plugin releases is vulnerable if an attacker can obtain Administrator or higher credentials.

Risk and Exploitability

With a CVSS score of 4.9 the vulnerability is considered medium impact, but because it requires authenticated admin rights the likelihood of exploitation is limited, reflected by an EPSS score of less than 1%. The vulnerability has not been listed in the CISA KEV catalog. The attack vector is an authenticated administrator who can modify the file_to_delete parameter, typically through the plugin's AJAX interface that is accessible only to users with sufficient permissions.

Generated by OpenCVE AI on April 22, 2026 at 22:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the ELEX WooCommerce Google Shopping plugin to version 1.4.4 or newer to remove the vulnerability.
  • If an update cannot be applied immediately, restrict access to the plugin's administrative pages to trusted accounts and monitor for unauthorized modifications to the file_to_delete parameter.
  • As a temporary countermeasure, block or filter requests to the file_to_delete endpoint that contain injected SQL patterns, or disable the endpoint until the patch is installed.

Generated by OpenCVE AI on April 22, 2026 at 22:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-27075 The ELEX WooCommerce Google Shopping (Google Product Feed) plugin for WordPress is vulnerable to SQL Injection via the 'file_to_delete' parameter in all versions up to, and including, 1.4.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
History

Mon, 08 Sep 2025 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Woocommerce
Woocommerce woocommerce
Wordpress
Wordpress wordpress
Vendors & Products Woocommerce
Woocommerce woocommerce
Wordpress
Wordpress wordpress

Mon, 08 Sep 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 06 Sep 2025 06:45:00 +0000

Type Values Removed Values Added
Description The ELEX WooCommerce Google Shopping (Google Product Feed) plugin for WordPress is vulnerable to SQL Injection via the 'file_to_delete' parameter in all versions up to, and including, 1.4.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Title ELEX WooCommerce Google Shopping (Google Product Feed) <= 1.4.3 - Authenticated (Admin+) SQL Inejction
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Woocommerce Woocommerce
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:34:47.971Z

Reserved: 2025-09-05T18:38:09.121Z

Link: CVE-2025-10046

cve-icon Vulnrichment

Updated: 2025-09-08T14:53:08.321Z

cve-icon NVD

Status : Deferred

Published: 2025-09-06T07:15:33.320

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-10046

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T22:30:28Z

Weaknesses