Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Unauthenticated remote SQLi (AV:N/AC:L/PR:N/UI:N) yields full DB read (C:H) and plausible limited writes (I:L); kept S:U as injection stays within the database trust boundary.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Lifecycle Timeline
2DescriptionCVE.org
Unauthenticated SQL Injection in Premmerce Wishlist for WooCommerce <= 1.1.11 versions.
Articles & Coverage 2
AnalysisAI
SQL injection in the Premmerce Wishlist for WooCommerce WordPress plugin (versions 1.1.11 and earlier) lets remote unauthenticated attackers inject crafted SQL into backend database queries, per the CVSS PR:N vector. Reported by Patchstack and rated 9.3 (CVSS 3.1), it allows extraction of sensitive WordPress/WooCommerce data such as user records and credential hashes. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | No special conditions beyond having the Premmerce Wishlist for WooCommerce plugin (version <= 1.1.11) installed and active on a reachable WordPress site - exploitation is remote and unauthenticated (PR:N/UI:N/AC:L) against the plugin's exposed query path. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals point to a high-priority issue with caveats. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker scanning the internet for WordPress sites running the Premmerce Wishlist plugin sends a crafted HTTP request to the vulnerable wishlist endpoint with malicious SQL embedded in a parameter, requiring no authentication or user interaction. Using UNION-based or blind SQLi techniques, they exfiltrate wp_users records including administrator email addresses and password hashes for offline cracking. … |
| Remediation | No vendor-released patched version is named in the available data; the advisory states only that versions up to and including 1.1.11 are affected, so the primary action is to upgrade to the next release above 1.1.11 once published by Premmerce (verify the fixed version directly via the Patchstack advisory and the plugin's WordPress.org changelog before relying on it). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Deactivate and remove the Premmerce Wishlist plugin (all versions through 1.1.11) from all WordPress/WooCommerce installations. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39373
GHSA-vqcv-7pvp-5rhv