WordPress
CVE-2025-13440
MEDIUM
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The Premmerce Wishlist for WooCommerce plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.1.10. This is due to a missing capability check on the deleteWishlist() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary wishlists.
AnalysisAI
Premmerce Wishlist for WooCommerce plugin versions up to 1.1.10 fails to enforce authorization checks on the deleteWishlist() function, allowing authenticated Subscriber-level users to delete arbitrary wishlists belonging to other users. The vulnerability stems from missing capability validation rather than authentication bypass; while the CVSS vector indicates unauthenticated access (PR:N), the description specifies Subscriber-level authentication is required, suggesting the vector may reflect the function's accessibility rather than actual authentication bypass. With EPSS of 0.04% and no public exploit code identified, real-world exploitation risk is minimal despite the authorization flaw.
Technical ContextAI
The Premmerce Wishlist plugin for WooCommerce extends WordPress user functionality to manage product wishlists through a custom deleteWishlist() function in the Admin.php class. The vulnerability occurs because the function lacks proper WordPress capability checks (using do_action hooks or nonces without corresponding capability validation) before processing wishlist deletion requests. CWE-862 (Missing Authorization) describes this class of flaw: the system performs an action or grants access based on a function call without verifying that the user has permission to request that action. In WordPress context, this typically means missing calls to current_user_can() with appropriate capabilities before performing privileged operations. The vulnerability allows an authenticated user to craft requests to the deleteWishlist() endpoint and delete wishlists they do not own, potentially impacting data integrity across multi-user WooCommerce installations.
Affected ProductsAI
The Premmerce Wishlist for WooCommerce WordPress plugin is vulnerable in all versions up to and including 1.1.10. The plugin is distributed through the official WordPress.org plugin repository. Affected installations include any WordPress site running WooCommerce with the Premmerce Wishlist plugin installed and the vulnerable version active. Version 1.1.11 and above (if available) should address the authorization issue based on Wordfence threat intelligence reporting.
RemediationAI
Update the Premmerce Wishlist for WooCommerce plugin to version 1.1.11 or later immediately. Site administrators should navigate to WordPress Dashboard > Plugins, locate 'Premmerce Wishlist for WooCommerce', and click 'Update Now' if a newer version is available. If version 1.1.11 has not yet been released, administrators should disable the plugin temporarily until a patched version is available from the vendor. Additionally, audit user roles and ensure that trusted users only have the minimum necessary capabilities; remove Subscriber-level access for users who do not require wishlist functionality. Monitor admin logs for unusual wishlist deletion activity on installations currently running vulnerable versions. For additional details and confirmation of patched version availability, consult the Wordfence vulnerability report at https://www.wordfence.com/threat-intel/vulnerabilities/id/9347900c-61c2-4d63-885e-e971c646b737?source=cve and review the plugin repository at https://plugins.trac.wordpress.org/browser/premmerce-woocommerce-wishlist/.
The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner
The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint
The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via
The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based
SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a
The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i
The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base
The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today