Description
The Premmerce Wholesale Pricing for WooCommerce plugin for WordPress is vulnerable to SQL Injection via the 'ID' parameter in versions up to, and including, 1.1.10. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with subscriber level access and above, to manipulate SQL queries that can be used to extract sensitive information from the database and modify price type display names in the database via the admin-post.php "premmerce_update_price_type" action, causing cosmetic corruption of the admin interface. The 'price_type' parameter of the "premmerce_delete_price_type" is also vulnerable.
Published: 2025-11-18
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Data Exposure, Database Modification
Action: Apply Patch
AI Analysis

Impact

The Premmerce Wholesale Pricing for WooCommerce plugin for WordPress is vulnerable to SQL injection via the 'ID' parameter in versions up to and including 1.1.10, as well as the 'price_type' parameter of the "premmerce_delete_price_type" action. The flaw arises from insufficient escaping and lack of prepared statements, which allows an attacker who can log in with subscriber level or higher permissions to inject arbitrary SQL into queries executed against the WordPress database. This weakness can lead to extraction of sensitive data stored in the database and manipulation of price type display names, thereby corrupting the administrative interface and potentially undermining the integrity of product pricing. The attack requires authenticated access; the attacker must first be logged into the WordPress site with a role of subscriber or higher, which is a prerequisite for interacting with the vulnerable admin-post.php endpoints. Once authenticated, the attacker can supply crafted values for the affected parameters, causing the plugin to construct and execute malicious SQL statements. The plugin’s vendor is Premmerce, and the product is Premmerce Wholesale Pricing for WooCommerce. The vulnerability exists in all released versions up to 1.1.10, meaning any installation that has not upgraded beyond that point is at risk.

Affected Systems

Premmerce Wholesale Pricing for WooCommerce plugin, versions up to 1.1.10 installed on any WordPress site.

Risk and Exploitability

The CVSS score of 7.1 indicates a high severity level, while the EPSS score of less than 1% suggests that the likelihood of exploitation in the wild is low but not negligible, and the vulnerability is not yet listed in CISA’s KEV catalog. The exploitation path is relatively straightforward for an authenticated user: by sending crafted requests to admin-post.php with the vulnerable parameters, the attacker can inject and execute arbitrary SQL within the context of the WordPress database. The impact spans both confidentiality, through data exfiltration, and integrity, via unauthorized modifications to pricing data. Mitigation is essential to prevent potential compromise of sensitive information and disruption of e‑commerce pricing structures.

Generated by OpenCVE AI on April 22, 2026 at 16:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Premmerce Wholesale Pricing for WooCommerce to a version newer than 1.1.10.
  • If an update is not possible, disable the "premmerce_update_price_type" and "premmerce_delete_price_type" actions by removing or altering the corresponding admin‑post.php hooks.
  • Implement strict input validation and use prepared statements for all database interactions within the plugin code.

Generated by OpenCVE AI on April 22, 2026 at 16:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 17:00:00 +0000

Type Values Removed Values Added
References

Tue, 18 Nov 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 18 Nov 2025 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Premmerce
Premmerce wholesale Pricing For Woocommerce
Wordpress
Wordpress wordpress
Vendors & Products Premmerce
Premmerce wholesale Pricing For Woocommerce
Wordpress
Wordpress wordpress

Tue, 18 Nov 2025 08:45:00 +0000

Type Values Removed Values Added
Description The Premmerce Wholesale Pricing for WooCommerce plugin for WordPress is vulnerable to SQL Injection via the 'ID' parameter in versions up to, and including, 1.1.10. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with subscriber level access and above, to manipulate SQL queries that can be used to extract sensitive information from the database and modify price type display names in the database via the admin-post.php "premmerce_update_price_type" action, causing cosmetic corruption of the admin interface. The 'price_type' parameter of the "premmerce_delete_price_type" is also vulnerable.
Title Premmerce Wholesale Pricing for WooCommerce <= 1.1.10 - Authenticated (Subscriber+) SQL Injection
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N'}

Subscriptions

Premmerce Wholesale Pricing For Woocommerce
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:40:46.504Z

Reserved: 2025-10-28T15:27:58.347Z

Link: CVE-2025-12411

cve-icon Vulnrichment

Updated: 2025-11-18T14:25:19.682Z

cve-icon NVD

Status : Deferred

Published: 2025-11-18T09:15:48.510

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12411

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T16:45:21Z

Weaknesses