Premmerce Brands for WooCommerce plugin contains a Cross‑Site Request Forgery weakness (CWE‑352) that permits an attacker to send forged HTTP requests on behalf of an authenticated user. Because the vulnerability affects all versions up to and including 1.2.13, a malicious actor can exploit a logged‑in session to perform any operation the user is authorized to execute, potentially leading to unauthorized product management, data modification, or administrative changes within the WooCommerce store. The impact is limited to standard CSRF consequences: accidental or malicious alteration of data, loss of integrity, and possible escalation of privileges to any role the victim holds.

The affected software is Premmerce Brands for WooCommerce, provided by Premmerce, and applies to all releases from the earliest available version through 1.2.13. Users running these or earlier plugin versions on a WordPress site are at risk.

The CVSS base score of 4.3 indicates low severity, and the EPSS score of less than 1% signals that the vulnerability is unlikely to be widely exploited at present. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a CSRF attack that can be initiated via a crafted web request or malicious link from an external site, relying on the victim having an active authenticated session with the vulnerable WordPress installation.