Vulnerabilities and security researches forwoocommerce-product-addon woocommerce-product-addon

Jun 07, 2024

CVE, Research URL: CVE-2019-14948
Home page URL: Security reports for Product Addons & Fields for WooCommerce
Application: Product Addons & Fields for WooCommerce
Date: Aug 12, 2019
Research Description: The woocommerce-product-addon plugin before 18.4 for WordPress has XSS via an import of a new meta data structure.
Affected versions: max 2.0.
Status: vulnerable

CVE, Research URL: CVE-2024-3962
Home page URL: Security reports for Product Addons & Fields for WooCommerce
Application: Product Addons & Fields for WooCommerce
Date: Apr 26, 2024
Research Description: The Product Addons & Fields for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ppom_upload_file function in all versions up to, and including, 32.0.18. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. Successful exploitation requires the PPOM Pro plugin to be installed along with a WooCommerce product that contains a file upload field to retrieve the correct nonce.
Affected versions: max 32.0.19.
Status: vulnerable

CVE, Research URL: CVE-2023-2256
Home page URL: Security reports for Product Addons & Fields for WooCommerce
Application: Product Addons & Fields for WooCommerce
Date: May 30, 2023
Research Description: The Product Addons & Fields for WooCommerce WordPress plugin before 32.0.7 does not sanitize and escape some URL parameters, leading to Reflected Cross-Site Scripting.
Affected versions: max 2.0.
Status: vulnerable

CVE, Research URL: CVE-2023-1839
Home page URL: Security reports for Product Addons & Fields for WooCommerce
Application: Product Addons & Fields for WooCommerce
Date: May 15, 2023
Research Description: The Product Addons & Fields for WooCommerce WordPress plugin before 32.0.6 does not sanitize and escape some of its setting fields, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example, in multisite setup).
Affected versions: max 32.0.6.
Status: vulnerable

CVE, Research URL: CVE-2021-25018
Home page URL: Security reports for Product Addons & Fields for WooCommerce
Application: Product Addons & Fields for WooCommerce
Date: Feb 14, 2022
Research Description: The PPOM for WooCommerce WordPress plugin before 24.0 does not have authorisation and CSRF checks in the ppom_settings_panel_action AJAX action, allowing any authenticated to call it and set arbitrary settings. Furthermore, due to the lack of sanitisation and escaping, it could lead to Stored XSS issues
Affected versions: max 24.0.
Status: vulnerable

Jun 11, 2024

CVE, Research URL: CVE-2024-35728
Home page URL: Security reports for Product Addons & Fields for WooCommerce
Application: Product Addons & Fields for WooCommerce
Date: Jun 10, 2024
Research Description: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') vulnerability in Themeisle PPOM for WooCommerce allows Code Inclusion.This issue affects PPOM for WooCommerce: from n/a through 32.0.20.
Affected versions: max 32.0.21.
Status: vulnerable

Jan 26, 2025

CVE, Research URL: CVE-2025-24668
Home page URL: Security reports for Product Addons & Fields for WooCommerce
Application: Product Addons & Fields for WooCommerce
Date: Jan 24, 2025
Research Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themeisle PPOM for WooCommerce allows Stored XSS. This issue affects PPOM for WooCommerce: from n/a through 33.0.8.
Affected versions: max 33.0.9.
Status: vulnerable

Nov 10, 2025

CVE, Research URL: CVE-2025-11691
Home page URL: Security reports for Product Addons & Fields for WooCommerce
Application: Product Addons & Fields for WooCommerce
Date: Oct 18, 2025
Research Description: The PPOM – Product Addons & Custom Fields for WooCommerce plugin for WordPress is vulnerable to SQL Injection via the PPOM_Meta::get_fields_by_id() function in all versions up to, and including, 33.0.15 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. This is only exploitable when the Enable Legacy Price Calculations setting is enabled.
Affected versions: max 33.0.16.
Status: vulnerable

CVE, Research URL: CVE-2025-11391
Home page URL: Security reports for Product Addons & Fields for WooCommerce
Application: Product Addons & Fields for WooCommerce
Date: Oct 18, 2025
Research Description: The PPOM – Product Addons & Custom Fields for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the image cropper functionality in all versions up to, and including, 33.0.15. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. While the vulnerable code is in the free version, this only affected users with the paid version of the software installed and activated.
Affected versions: max 33.0.16.
Status: vulnerable