PT-2025-42700 · WordPress · Ppom – Product Addons & Custom Fields For Woocommerce

Talal Nasraddeen

·

Published

2025-10-18

·

Updated

2025-10-25

·

CVE-2025-11691

CVSS v3.1

7.5

High

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Name of the Vulnerable Software and Affected Versions PPOM – Product Addons & Custom Fields for WooCommerce plugin for WordPress versions prior to 33.0.16
Description The software contains a SQL Injection flaw in the PPOM Meta::get fields by id() function. Insufficient escaping of user-supplied parameters and inadequate SQL query preparation allow unauthenticated attackers to inject additional SQL queries into existing queries, potentially extracting sensitive information from the database. This is exploitable when the Enable Legacy Price Calculations setting is enabled.
Recommendations Update the PPOM – Product Addons & Custom Fields for WooCommerce plugin to version 33.0.16 or later.

Fix

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-89

Related Identifiers

CVE-2025-11691

Affected Products

Ppom – Product Addons & Custom Fields For Woocommerce