Ppom – Product Addons & Custom Fields For Woocommerce

Submit a proposal Propose CVE/GCVE/GHSA reference

Approved changes feed: RSS · Atom

cpe:2.3:a:themeisle:ppom_–_product_addons_&_custom_fields_for_woocommerce:*:*:*:*:*:*:*:*

part: a version: * update: *

VendorThemeisle (952ca4ef-81b0-5b76-b2cc-d8cf654b2d29)
ProductPpom – Product Addons & Custom Fields For Woocommerce (ee439278-675b-5423-aa08-b43684027425)
Edition*
Language*
Software edition*
Target software*
Target hardware*
Other*
NotesImported from gcve-enriched-dumps CVE data

PURL mappings

PURLSourceLast updated
No PURL mappings for this CPE yet.

Vulnerability references

IdentifiercpeApplicabilitySubmitteddb.gcve.eu detailsRationale
CVE:CVE-2025-11691 vulnerable 2026-06-03 14:58:42.909231 PPOM – Product Addons & Custom Fields for WooCommerce <= 33.0.15 - Unauthenticated SQL Injection
HIGH (7.5)
The PPOM – Product Addons & Custom Fields for WooCommerce plugin for WordPress is vulnerable to SQL Injection via the PPOM_Meta::get_fields_by_id() function in all versions up to, and including, 33.0.15 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. This is only exploitable when the Enable Legacy Price Calculations setting is enabled.
Published: 2025-10-18T06:42:49.184Z
Updated: 2026-04-08T17:31:52.371Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2025-11391 vulnerable 2026-06-03 14:58:36.009766 PPOM – Product Addons & Custom Fields for WooCommerce <= 33.0.15 - Unauthenticated Arbitrary File Upload
CRITICAL (9.8)
The PPOM – Product Addons & Custom Fields for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the image cropper functionality in all versions up to, and including, 33.0.15. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. While the vulnerable code is in the free version, this only affected users with the paid version of the software installed and activated.
Published: 2025-10-18T06:42:48.390Z
Updated: 2026-04-08T17:24:40.895Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2024-3962 vulnerable 2026-06-03 14:56:32.536652 Product Addons & Fields for WooCommerce <= 32.0.18 - Unauthenticated Arbitrary File Upload via ppom_upload_file
CRITICAL (9.8)
The Product Addons & Fields for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ppom_upload_file function in all versions up to, and including, 32.0.18. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. Successful exploitation requires the PPOM Pro plugin to be installed along with a WooCommerce product that contains a file upload field to retrieve the correct nonce.
Published: 2024-04-26T08:29:20.259Z
Updated: 2026-04-08T16:52:06.464Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2024-1047 vulnerable 2026-06-03 14:54:26.033938 ThemeIsle SDK <= Various Versions - Missing Authorization
MEDIUM (5.3)
Multiple plugins and/or themes for WordPress with the ThemeIsle SDK are vulnerable to unauthorized modification of data due to a missing capability check on the register_reference() function in various versions. This makes it possible for unauthenticated attackers to update options values that allow ThemeIsle to track promotional activities via utm_source.
Published: 2024-02-02T05:33:14.536Z
Updated: 2026-04-08T16:56:47.195Z
Reference links
Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.