CVE-2025-11391 — AI Deep Analysis Summary

🚨 **Essence**: Unauthenticated Time-Based Blind SQL Injection in PPOM Plugin. 💥 **Consequences**: Attackers can extract database data (user creds, site config) without detection.…

🛡️ **Root Cause**: CWE-434 (Unrestricted Upload of File with Dangerous Type) is listed, but the **PoC reveals SQL Injection**. ⚠️ **Flaw**: Lack of input validation/sanitization in plugin hooks (`inc/hooks.php`).…

🎯 **Affected**: WordPress Plugin: **PPOM – Product Addons & Custom Fields for WooCommerce**. 📦 **Versions**: **<= 33.0.15**. 🏢 **Vendor**: ThemeIsle. If you use this plugin on WooCommerce, you are at risk.

💀 **Hackers Can**: Execute arbitrary SQL commands. 📊 **Data Access**: Read sensitive DB tables (users, passwords, options). 🔄 **Privileges**: Unauthenticated access means **zero login needed**.…

📉 **Threshold**: **LOW**. 🔓 **Auth**: Unauthenticated (No login required). 🌐 **Network**: Network-accessible (AV:N). 🖱️ **UI**: None required (UI:N). Easy to exploit via automated scripts.

🔓 **Exploit Available**: **YES**. 📂 **PoC**: Public on GitHub (`aritlhq/CVE-2025-11391`). 🚀 **Status**: Time-based blind SQLi PoC is ready. Wild exploitation is likely imminent given the low barrier.

🔍 **Self-Check**: 1. Check WP Plugin list for 'PPOM'. 2. Verify version **<= 33.0.15**. 3. Scan for `inc/hooks.php` modifications. 🛠️ **Tools**: Use WPScan or manual version check.…

✅ **Fixed**: **YES**. 🆕 **Patch Version**: **33.0.16**. 📝 **Action**: Update plugin immediately to v33.0.16 or later. The vendor has acknowledged and patched the issue.

🚧 **No Patch Workaround**: 1. **Deactivate** the plugin if not essential. 2. **Restrict Access**: Block plugin endpoints via WAF. 3. **Input Filtering**: Manually sanitize inputs in `hooks.php` (advanced).…

🔥 **Urgency**: **CRITICAL**. 🚨 **Priority**: **P1**. CVSS Score is High (likely 9.0+ based on vector). Unauthenticated SQLi is a top-tier threat. Patch **NOW** to prevent data breach.