Skip to main content

Premmerce Wishlist EUVDEUVD-2026-39373

| CVE-2026-54849 CRITICAL
SQL Injection (CWE-89)
2026-06-25 Patchstack GHSA-vqcv-7pvp-5rhv
9.3
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
9.3 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
vuln.today AI
8.2 HIGH

Unauthenticated remote SQLi (AV:N/AC:L/PR:N/UI:N) yields full DB read (C:H) and plausible limited writes (I:L); kept S:U as injection stays within the database trust boundary.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
Low

Lifecycle Timeline

2
Analysis Generated
Jun 25, 2026 - 14:20 vuln.today
CVE Published
Jun 25, 2026 - 13:12 cve.org
CRITICAL 9.3

DescriptionCVE.org

Unauthenticated SQL Injection in Premmerce Wishlist for WooCommerce <= 1.1.11 versions.

AnalysisAI

SQL injection in the Premmerce Wishlist for WooCommerce WordPress plugin (versions 1.1.11 and earlier) lets remote unauthenticated attackers inject crafted SQL into backend database queries, per the CVSS PR:N vector. Reported by Patchstack and rated 9.3 (CVSS 3.1), it allows extraction of sensitive WordPress/WooCommerce data such as user records and credential hashes. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify site running vulnerable Premmerce Wishlist plugin
Delivery
Send crafted request to wishlist endpoint
Exploit
Inject SQL into unsanitized parameter
Execution
Database executes attacker query
Impact
Exfiltrate user credentials and sensitive data

Vulnerability AssessmentAI

Exploitation No special conditions beyond having the Premmerce Wishlist for WooCommerce plugin (version <= 1.1.11) installed and active on a reachable WordPress site - exploitation is remote and unauthenticated (PR:N/UI:N/AC:L) against the plugin's exposed query path. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals point to a high-priority issue with caveats. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker scanning the internet for WordPress sites running the Premmerce Wishlist plugin sends a crafted HTTP request to the vulnerable wishlist endpoint with malicious SQL embedded in a parameter, requiring no authentication or user interaction. Using UNION-based or blind SQLi techniques, they exfiltrate wp_users records including administrator email addresses and password hashes for offline cracking. …
Remediation No vendor-released patched version is named in the available data; the advisory states only that versions up to and including 1.1.11 are affected, so the primary action is to upgrade to the next release above 1.1.11 once published by Premmerce (verify the fixed version directly via the Patchstack advisory and the plugin's WordPress.org changelog before relying on it). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Deactivate and remove the Premmerce Wishlist plugin (all versions through 1.1.11) from all WordPress/WooCommerce installations. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-39373 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy