Premmerce Premium plugin for WordPress contains a CSRF flaw that allows an attacker to trick an authenticated user into performing unwanted actions within the plugin. The vulnerability is moderate in severity, with a CVSS score of 4.3, indicating that it can affect the confidentiality, integrity, or availability of data only when the victim is logged in and no additional exploitation steps are required. The weakness is classified as CWE‑352, a Classic CSRF vulnerability where improper verification of user intent permits unauthorized requests.

Any WordPress site installing Premmerce Premium plugin version 1.3.19 or earlier is vulnerable. The affected product is the Premmerce plugin developed by Premmerce, and no particular build numbers beyond 1.3.19 are mentioned as affected.

The EPSS score for this flaw is below 1%, suggesting that exploitation is unlikely but still possible. It is not listed in the CISA KEV catalog. While the CVSS metric indicates moderate impact, the typical attack vector for CSRF is a user’s browser executing a forged request to the site, so an attacker would need to persuade or trick an authenticated user. No special conditions beyond normal login are documented. Therefore, the risk is considered low to moderate, and remediation is advised before widespread exploitation occurs.