Description
Unauthenticated SQL Injection in Premmerce Wishlist for WooCommerce <= 1.1.11 versions.
Published: 2026-06-25
Score: 9.3 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Premmerce Wishlist for WooCommerce, versions 1.1.11 and earlier, suffers from an unauthenticated SQL injection flaw (CWE‑89). The vulnerability allows a remote user to send crafted input that is incorporated directly into SQL statements, enabling the execution of arbitrary SQL commands against the WordPress database. This can lead to unintended data reading, modification, or deletion, thereby compromising the integrity and confidentiality of the site data.

Affected Systems

The flaw exists in the Premmerce Wishlist for WooCommerce plugin for WordPress. Any WordPress site that has installed this plugin and is running a version equal to or older than 1.1.11 is vulnerable. Sites that have not updated to 1.1.12 or newer remain affected.

Risk and Exploitability

The CVSS score of 9.3 classifies the vulnerability as critical. The attack vector is remote, requires no authentication, and can be exercised by sending specially crafted HTTP requests to the plugin’s endpoints. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, but the combination of a high severity rating and the lack of authentication requirements make exploitation highly plausible in practice.

Generated by OpenCVE AI on June 25, 2026 at 16:41 UTC.

Remediation

Vendor Solution

Update the WordPress Premmerce Wishlist for WooCommerce Plugin to the latest available version (at least 1.1.12).

OpenCVE Recommended Actions

  • Update the Premmerce Wishlist for WooCommerce plugin to version 1.1.12 or newer.
  • Disable or uninstall the plugin if it is not required for the site.
  • Ensure the database user accessed by WordPress has only the minimum privileges necessary to reduce the damage an injected query could cause.

Generated by OpenCVE AI on June 25, 2026 at 16:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 25 Jun 2026 14:00:00 +0000

Type Values Removed Values Added
Description Unauthenticated SQL Injection in Premmerce Wishlist for WooCommerce <= 1.1.11 versions.
Title WordPress Premmerce Wishlist for WooCommerce plugin <= 1.1.11 - SQL Injection vulnerability
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-25T14:52:00.964Z

Reserved: 2026-06-16T09:22:02.525Z

Link: CVE-2026-54849

cve-icon Vulnrichment

Updated: 2026-06-25T14:51:57.667Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T16:45:03Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')