CVE-2025-10046: 
WordPress vulnerability analysis and mitigation

The ELEX WooCommerce Google Shopping (Google Product Feed) plugin for WordPress contains an SQL Injection vulnerability (CVE-2025-10046) affecting versions up to and including 1.4.3. The vulnerability was discovered and disclosed on September 6, 2025, and impacts the plugin's file management functionality (NVD).

The vulnerability exists due to insufficient escaping of the 'filetodelete' parameter and inadequate preparation of SQL queries in the plugin's code. The issue is present in the elex-manage-feed-ajax.php file, specifically in the feed management functionality. The vulnerability has been assigned a CVSS v3.1 score of 4.9 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N, indicating network accessibility with high privileges required (NVD, Wordfence).

When exploited, this vulnerability allows authenticated attackers with Administrator-level access to append additional SQL queries to existing queries, potentially leading to unauthorized access to sensitive information stored in the WordPress database (NVD).

The vulnerability has been patched in version 1.4.4 of the plugin. The fix includes improved input validation and proper SQL query preparation as shown in the changelog. Users are advised to update to version 1.4.4 or later immediately (WordPress Plugin).