CVE-2025-10046

MEDIUM

ELEX WooCommerce Google Shopping <1.4.3 - SQL Injection

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2025-10046. PoCs published by Byte Reaper, byteReaper77.

AI-analyzed exploit summary This exploit demonstrates SQL injection in the ELEX WooCommerce WordPress Plugin 1.4.3 via the 'file_to_delete' parameter. It sends multiple SQLi payloads to test for vulnerabilities and checks responses for error messages.

Description

The ELEX WooCommerce Google Shopping (Google Product Feed) plugin for WordPress is vulnerable to SQL Injection via the 'file_to_delete' parameter in all versions up to, and including, 1.4.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

Exploits (2)

exploitdb WORKING POC

by Byte Reaper · cwebappsmultiple

https://www.exploit-db.com/exploits/52430

View Code ZIP pw:eip

This exploit demonstrates SQL injection in the ELEX WooCommerce WordPress Plugin 1.4.3 via the 'file_to_delete' parameter. It sends multiple SQLi payloads to test for vulnerabilities and checks responses for error messages.

Classification

Working Poc 90%

Attack Type

Sqli

Complexity

Moderate

Reliability

Reliable

Target: ELEX WooCommerce Google Shopping Plugin 1.4.3

Auth required

Prerequisites: Admin access to WordPress · Plugin version 1.4.3 installed

MITRE ATT&CK

T1189 - Drive-by Compromise T1505 - Server Software Component

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 6 stars

by byteReaper77 · poc

https://github.com/byteReaper77/CVE-2025-10046

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2025-10046, a SQL injection vulnerability in the ELEX WooCommerce Google Shopping plugin for WordPress. The exploit targets the `file_to_delete` parameter in `elex-manage-feed-ajax.php` and requires administrator privileges.

Classification

Working Poc 95%

Attack Type

Sqli

Complexity

Moderate

Reliability

Reliable

Target: ELEX WooCommerce Google Shopping (Product Feed) plugin for WordPress, versions 1.4.3 and earlier

Auth required

Prerequisites: Administrator access to the WordPress instance · Target plugin version 1.4.3 or earlier

MITRE ATT&CK

T1189 - Drive-by Compromise T1505 - Server Software Component

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Product

https://plugins.svn.wordpress.org/elex-woocommerce-google-product-feed-plugin-basic/tags/1.4.3/includes/elex-manage-feed-ajax.php#29

Product

https://plugins.trac.wordpress.org/changeset/3342699/elex-woocommerce-google-product-feed-plugin-basic/tags/1.4.4/includes/elex-manage-feed-ajax.php

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/0afe37bb-fa8a-4e7b-93c6-c44b3fbeb904?source=cve

Scores

CVSS v3 4.9

EPSS 0.0020

EPSS Percentile 41.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-89

Status published

Products (1)

elextensions/ELEX WooCommerce Google Shopping (Google Product Feed) < 1.4.3

Published Sep 06, 2025

Tracked Since Feb 18, 2026