Description
The Premmerce Wishlist for WooCommerce plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.1.10. This is due to a missing capability check on the deleteWishlist() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary wishlists.
Published: 2025-12-12
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Deletion of Wishlists
Action: Patch
AI Analysis

Impact

The Premmerce Wishlist for WooCommerce plugin for WordPress is affected by a missing capability check in its deleteWishlist() function. Authenticated users with Subscriber-level access or higher can invoke this function and delete any wishlist at will. This flaw allows attackers to remove user-generated wishlists without permission, leading to data loss and potential disruption of user experience.

Affected Systems

Premmerce Wishlist for WooCommerce, a WordPress plugin, is affected in all releases up to and including version 1.1.10. Any site that has this plugin installed and is running one of those versions is vulnerable.

Risk and Exploitability

The CVSS v3.1 score of 5.3 indicates a moderate severity, and the EPSS score of < 1% suggests a low likelihood of exploitation in the wild. It is not listed in the CISA KEV catalog. An attacker needs an authenticated WordPress account with Subscriber or higher privileges, and based on the description it is inferred that the attacker can exploit the flaw via the plugin’s delete endpoint, likely through the admin interface or an API call; the attack is local to the site’s host and requires no remote code execution.

Generated by OpenCVE AI on April 22, 2026 at 00:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Premmerce Wishlist for WooCommerce to the latest available version (>=1.1.11) which contains the missing capability check fix.
  • If an immediate update is not possible, restrict the deleteWishlist functionality by disabling the plugin’s delete endpoint for Subscriber and lower roles, for example by adding a capability check or removing the delete link for those roles.
  • Audit other plugins or custom code for missing capability checks and ensure that only Administrators have the capability to delete wishlists.

Generated by OpenCVE AI on April 22, 2026 at 00:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
References

Mon, 15 Dec 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 12 Dec 2025 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Premmerce
Premmerce wishlist For Woocommerce
Wordpress
Wordpress wordpress
Vendors & Products Premmerce
Premmerce wishlist For Woocommerce
Wordpress
Wordpress wordpress

Fri, 12 Dec 2025 03:45:00 +0000

Type Values Removed Values Added
Description The Premmerce Wishlist for WooCommerce plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.1.10. This is due to a missing capability check on the deleteWishlist() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary wishlists.
Title Premmerce Wishlist for WooCommerce <= 1.1.10 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Wishlist Deletion
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Premmerce Wishlist For Woocommerce
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:09:37.959Z

Reserved: 2025-11-19T19:06:21.133Z

Link: CVE-2025-13440

cve-icon Vulnrichment

Updated: 2025-12-12T20:13:17.671Z

cve-icon NVD

Status : Deferred

Published: 2025-12-12T04:15:41.997

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-13440

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T00:30:04Z

Weaknesses