CVE-2025-12783

MEDIUM
2025-12-12 [email protected]
4.3
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Apr 08, 2026 - 18:38 vuln.today
CVE Published
Dec 12, 2025 - 04:15 nvd
MEDIUM 4.3

Tags

Authentication Bypass WordPress

Description

The Premmerce Brands for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the saveBrandsSettings function in all versions up to, and including, 1.2.13. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify brand permalink settings.

Analysis

Premmerce Brands for WooCommerce plugin versions up to 1.2.13 allow authenticated attackers with Subscriber-level access to modify brand permalink settings due to a missing capability check in the saveBrandsSettings function. The vulnerability requires only network access and low-privilege authentication, enabling unauthorized data modification of WordPress brand configuration without user interaction.

Technical Context

The vulnerability exists in the saveBrandsSettings function within the Premmerce Brands for WooCommerce plugin, which fails to validate user capabilities before processing brand settings modifications. This is a capability check bypass issue (CWE-862: Missing Authorization) affecting WordPress role-based access control. The plugin, which integrates with WooCommerce to manage product brands, does not properly restrict the admin settings modification endpoint to users with appropriate administrative roles. WordPress plugins typically enforce capabilities using functions like current_user_can() to verify that a user role (Administrator, Shop Manager, etc.) is authorized before processing sensitive operations; the absence of this check allows any authenticated user, including those with minimal Subscriber-level permissions, to invoke protected functionality.

Affected Products

The Premmerce Brands for WooCommerce plugin is affected in all versions up to and including 1.2.13. This WordPress plugin extends WooCommerce functionality to manage product brands. The vulnerability impacts any WordPress installation running the Premmerce Brands plugin at version 1.2.13 or earlier. Users can verify their version in the WordPress plugin dashboard; the plugin is distributed via the official WordPress plugin repository.

Remediation

Update the Premmerce Brands for WooCommerce plugin to a version newer than 1.2.13; check the official WordPress plugin repository or the plugin's changelog at https://plugins.trac.wordpress.org/changeset/3465319/ for the patched release version. If an immediate update is unavailable, restrict Subscriber-level user creation or revoke unnecessary user accounts pending a patch release. Review user roles and capabilities in WordPress Settings > Users to ensure only trusted administrators have access to brand management features. Monitor brand permalink configurations for unauthorized changes. For additional vulnerability details and updates, consult the Wordfence vulnerability report at https://www.wordfence.com/threat-intel/vulnerabilities/id/6560ba0b-2190-4d30-b0c4-f07d524ccfde?source=cve.

Priority Score

22
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +22
POC: 0

Share

CVE-2025-12783 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy