CVE-2025-13440
MEDIUMCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
2Description
The Premmerce Wishlist for WooCommerce plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.1.10. This is due to a missing capability check on the deleteWishlist() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary wishlists.
Analysis
Premmerce Wishlist for WooCommerce plugin versions up to 1.1.10 fails to enforce authorization checks on the deleteWishlist() function, allowing authenticated Subscriber-level users to delete arbitrary wishlists belonging to other users. The vulnerability stems from missing capability validation rather than authentication bypass; while the CVSS vector indicates unauthenticated access (PR:N), the description specifies Subscriber-level authentication is required, suggesting the vector may reflect the function's accessibility rather than actual authentication bypass. With EPSS of 0.04% and no public exploit code identified, real-world exploitation risk is minimal despite the authorization flaw.
Technical Context
The Premmerce Wishlist plugin for WooCommerce extends WordPress user functionality to manage product wishlists through a custom deleteWishlist() function in the Admin.php class. The vulnerability occurs because the function lacks proper WordPress capability checks (using do_action hooks or nonces without corresponding capability validation) before processing wishlist deletion requests. CWE-862 (Missing Authorization) describes this class of flaw: the system performs an action or grants access based on a function call without verifying that the user has permission to request that action. In WordPress context, this typically means missing calls to current_user_can() with appropriate capabilities before performing privileged operations. The vulnerability allows an authenticated user to craft requests to the deleteWishlist() endpoint and delete wishlists they do not own, potentially impacting data integrity across multi-user WooCommerce installations.
Affected Products
The Premmerce Wishlist for WooCommerce WordPress plugin is vulnerable in all versions up to and including 1.1.10. The plugin is distributed through the official WordPress.org plugin repository. Affected installations include any WordPress site running WooCommerce with the Premmerce Wishlist plugin installed and the vulnerable version active. Version 1.1.11 and above (if available) should address the authorization issue based on Wordfence threat intelligence reporting.
Remediation
Update the Premmerce Wishlist for WooCommerce plugin to version 1.1.11 or later immediately. Site administrators should navigate to WordPress Dashboard > Plugins, locate 'Premmerce Wishlist for WooCommerce', and click 'Update Now' if a newer version is available. If version 1.1.11 has not yet been released, administrators should disable the plugin temporarily until a patched version is available from the vendor. Additionally, audit user roles and ensure that trusted users only have the minimum necessary capabilities; remove Subscriber-level access for users who do not require wishlist functionality. Monitor admin logs for unusual wishlist deletion activity on installations currently running vulnerable versions. For additional details and confirmation of patched version availability, consult the Wordfence vulnerability report at https://www.wordfence.com/threat-intel/vulnerabilities/id/9347900c-61c2-4d63-885e-e971c646b737?source=cve and review the plugin repository at https://plugins.trac.wordpress.org/browser/premmerce-woocommerce-wishlist/.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today