- Description
- The PPOM – Product Addons & Custom Fields for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the image cropper functionality in all versions up to, and including, 33.0.15. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. While the vulnerable code is in the free version, this only affected users with the paid version of the software installed and activated.
- Source
- security@wordfence.com
- NVD status
- Awaiting Analysis
CVSS 3.1
- Type
- Primary
- Base score
- 9.8
- Impact score
- 5.9
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- Severity
- CRITICAL
- security@wordfence.com
- CWE-434
- Hype score
- Not currently trending
CVE-2025-11391 – Unauthenticated Blind SQL Injection in PPOM for WooCommerce 33.0.15 https://t.co/UUnQlf6AVF #cve #SQL_injection #SqlInjection #WooCommerce
@RootAccessClub
13 Feb 2026
0 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
GitHub - aritlhq/CVE-2025-11391: WordPress PPOM for WooCommerce Plugin <= 33.0.15 is vulnerable to SQL Injection https://t.co/2d6a0i6DGr
@akaclandestine
13 Feb 2026
1285 Impressions
6 Retweets
20 Likes
10 Bookmarks
0 Replies
0 Quotes
GitHub - aritlhq/CVE-2025-11391: WordPress PPOM for WooCommerce Plugin <= 33.0.15 is vulnerable to SQL Injection https://t.co/2d6a0i6DGr
@akaclandestine
21 Oct 2025
1826 Impressions
8 Retweets
23 Likes
16 Bookmarks
0 Replies
0 Quotes
CVE-2025-11391 i PPOM-plugin för WooCommerce tillåter filuppladdningar utan korrekt validering, vilket kan leda till fjärrkörning av kod. Riskerna är stora för oauktoriserade angrepp. #säkerhet #cybersäkerhet #CVE
@Sakerhetsblogg
18 Oct 2025
0 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
**CVE-2025-11391** pertains to a critical security flaw in the **PPOM – Product Addons & Custom Fields for WooCommerce** plugin for WordPress. The vulnerability arises from improper validation of uploaded files in the image cropper functionality, allowing unauthenticated
@CveTodo
18 Oct 2025
57 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
[CVE-2025-11391: CRITICAL] Beware: PPOM Plugin for WooCommerce WordPress site exposes to arbitrary file upload. Unauthenticated attackers could execute code on server. Update to version 33.0.16 or newer now!#cve,CVE-2025-11391,#cybersecurity https://t.co/N3H4M0VMT1 https://t.co/e
@CveFindCom
18 Oct 2025
104 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes