Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-10046 PoC — ELEX WooCommerce Google Shopping (Google Product Feed) <= 1.4.3 - Authenticated (Admin+) SQL Inejction

Source
https://github.com/byteReaper77/CVE-2025-10046
Associated Vulnerability
Title:ELEX WooCommerce Google Shopping (Google Product Feed) <= 1.4.3 - Authenticated (Admin+) SQL Inejction (CVE-2025-10046)
Description:The ELEX WooCommerce Google Shopping (Google Product Feed) plugin for WordPress is vulnerable to SQL Injection via the 'file_to_delete' parameter in all versions up to, and including, 1.4.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Description
exploit SQL injection ELEX WooCommerce Google Shopping
Readme
# CVE-2025-10046 - ELEX WooCommerce Google Shopping
**Author: Byte Reaper**

## Description
CVE-2025-10046 is a SQL injection vulnerability in the ELEX WooCommerce Google Shopping (Product Feed) plugin for WordPress, versions 1.4.3 and earlier.
The issue resides in the includes/elex-manage-feed-ajax.php file, where the file_to_delete parameter is not properly sanitized before being used in SQL queries.

Attack vector: Authenticated (Administrator)

Impact: An attacker with administrator privileges could inject arbitrary SQL statements, potentially leading to database information disclosure or tampering.

Severity: High (Requires administrator privileges, but may compromise database integrity).

## Requirements :
```
Linux x86_64
GCC 
```
## Code Logic (elex-manage-feed-ajax.php)
![Logic Code](./logic.png)

This image shows the code area in the `elex-manage-feed-ajax.php` file that is vulnerable to SQL injection. The `sanitize_text_field()` function is applied first to sanitize user input from suspicious HTML tags and ensure proper Unicode formatting, but this is not sufficient to prevent SQL injection. Next, a global `$wpdb` object is used to access the `gpf_feeds` table, and the code calls `$wpdb->query` directly without using properly prepared statements or other validation methods. The SQL statement `DELETE FROM $table_name WHERE feed_id= $id` executes user input on the database, and since `file_to_delete` is not strictly validated, this allows SQL injection to be effective.


## Build :
```
gcc exploit.c argparse.c -o CVE-2025-10046 -lcurl
./CVE-2025-10046 -u http://127.0.0.1 -v -c [Cookie file admin]
```

## References : 
- NVD : https://nvd.nist.gov/vuln/detail/CVE-2025-10046


## License : 

MIT
File Snapshot

 [4.0K]  /data/pocs/710adf7aa949a07d8a0436c95a875ad7c76f8079
├── [ 21K]  exploit.c
├── [1.0K]  LICENSE
├── [179K]  logic.png
└── [1.7K]  README.md

0 directories, 4 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →