CVE-2025-10046

The ELEX WooCommerce Google Shopping (Google Product Feed) plugin for WordPress is vulnerable to SQL injection in all versions up to and including 1.4.3. The vulnerability exists in the CVE-2025-10046 resides in the elex-manage-feed-ajax.php file, where the file_to_delete parameter is directly concatenated into a DELETE SQL query without proper escaping or parameterization [1]. The code uses $wpdb->prepare() incorrectly, applying %1s to the entire query string rather than binding the user-supplied value as a parameter, leaving the query open to injection [1].

Exploitation requires the attacker to be authenticated with Administrator-level access or higher. The vulnerable parameter is passed via POST request to the elex_gpf_manage_feed_delete_file AJAX action, which is protected by a nonce check but does not sanitize the file_to_delete input before using it in the SQL query [1]. An attacker can append arbitrary SQL clauses to the existing DELETE statement, bypassing the insufficient escaping.

Successful exploitation allows an authenticated administrator to extract sensitive information from the WordPress database, such as user credentials, session tokens, or other confidential data stored configuration data. The CVSS v3 base score of 4.9 (Medium) reflects the high privileges required and the potential for data exposure.

As of the publication date (2025-09-06), no patch has been released for version 1.4.3 or earlier. Users are advised to restrict administrator access to trusted individuals and monitor for updates from the plugin vendor. The vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities catalog.