CVE-2025-13440 – This vulnerability in the Premmerce Wishlist fo... (How to Fix)

Q: What is the severity of CVE-2025-13440?

CVE-2025-13440 has a CVSS score of 5.3 (MEDIUM). This vulnerability in the Premmerce Wishlist for WooCommerce WordPress plugin allows authenticated users with Subscriber-level access or higher to delete arbitrary wishlists due to missing authorization checks. All WordPress sites using this plugin up to version 1.1.10 are affected. Attackers can disrupt user experience and potentially cause data loss.

📋 TL;DR

This vulnerability in the Premmerce Wishlist for WooCommerce WordPress plugin allows authenticated users with Subscriber-level access or higher to delete arbitrary wishlists due to missing authorization checks. All WordPress sites using this plugin up to version 1.1.10 are affected. Attackers can disrupt user experience and potentially cause data loss.

💻 Affected Systems

Products:

Premmerce Wishlist for WooCommerce WordPress plugin

Versions: All versions up to and including 1.1.10

Operating Systems: All operating systems running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress with WooCommerce and the vulnerable plugin installed. Any authenticated user (Subscriber role or higher) can exploit this.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Malicious authenticated users could systematically delete all wishlists on the site, causing significant data loss, disrupting user experience, and potentially impacting e-commerce conversion rates.

🟠

Likely Case

Low-privilege authenticated users deleting wishlists belonging to other users, causing minor disruption and potential customer complaints.

🟢

If Mitigated

Limited impact if proper user access controls and monitoring are in place, with only isolated incidents of wishlist deletion.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access but is technically simple - just calling the vulnerable function without proper authorization checks.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.1.11 or later

Vendor Advisory: https://plugins.trac.wordpress.org/browser/premmerce-woocommerce-wishlist/trunk/src/Admin/Admin.php

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Premmerce Wishlist for WooCommerce'. 4. Click 'Update Now' if update available. 5. Alternatively, download version 1.1.11+ from WordPress.org and manually update.

🔧 Temporary Workarounds

Temporary Plugin Deactivation

all

Deactivate the vulnerable plugin until patched

wp plugin deactivate premmerce-woocommerce-wishlist

Restrict User Registration

all

Temporarily disable new user registration to limit attack surface

wp option update users_can_register 0

🧯 If You Can't Patch

Implement additional authorization checks via custom code or security plugin
Monitor and audit wishlist deletion activities in WordPress logs

🔍 How to Verify

Check if Vulnerable:

Check plugin version in WordPress admin under Plugins → Installed Plugins. If version is 1.1.10 or lower, you are vulnerable.

Check Version:

wp plugin get premmerce-woocommerce-wishlist --field=version

Verify Fix Applied:

After updating, verify plugin version shows 1.1.11 or higher in WordPress admin plugins list.

📡 Detection & Monitoring

Log Indicators:

Unusual wishlist deletion patterns
Multiple wishlist deletions from single user accounts
Wishlist deletions from low-privilege user roles

Network Indicators:

POST requests to wishlist deletion endpoints from unexpected user roles

SIEM Query:

source="wordpress" AND (event="wishlist_deleted" OR uri_path="/wp-admin/admin-ajax.php") AND user_role="subscriber"

📊 Metadata

CVE ID: CVE-2025-13440

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CWE: CWE-862

EPSS Score: 0.04% exploit probability (11.1th percentile)

Published: December 12, 2025

Last Updated: December 12, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-13440, you might also want to check these: