{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-12783", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-11-05T22:32:16.722Z", "datePublished": "2025-12-12T03:20:47.249Z", "dateUpdated": "2026-04-08T16:57:47.844Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:57:47.844Z"}, "affected": [{"vendor": "premmerce", "product": "Premmerce Brands for WooCommerce", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.2.13", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Premmerce Brands for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the saveBrandsSettings function in all versions up to, and including, 1.2.13. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify brand permalink settings."}], "title": "Premmerce Brands for WooCommerce <= 1.2.13 - Missing Authorization To Authenticated (Subscriber+) Brand Permalink Settings Update", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6560ba0b-2190-4d30-b0c4-f07d524ccfde?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/premmerce-woocommerce-brands/tags/1.2.13/src/Admin/Admin.php#L101"}, {"url": "https://plugins.trac.wordpress.org/changeset/3465319/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Athiwat Tiprasaharn"}, {"lang": "en", "type": "finder", "value": "Powpy"}], "timeline": [{"time": "2025-10-28T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2025-12-11T14:30:57.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-15T17:49:59.867919Z", "id": "CVE-2025-12783", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-15T18:15:15.459Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-12783", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-15T17:49:59.867919Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-15T17:50:51.199Z"}}], "cna": {"title": "Premmerce Brands for WooCommerce <= 1.2.13 - Missing Authorization To Authenticated (Subscriber+) Brand Permalink Settings Update", "credits": [{"lang": "en", "type": "finder", "value": "Athiwat Tiprasaharn"}, {"lang": "en", "type": "finder", "value": "Powpy"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "premmerce", "product": "Premmerce Brands for WooCommerce", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "1.2.13"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-10-28T00:00:00.000+00:00", "value": "Discovered"}, {"lang": "en", "time": "2025-12-11T14:30:57.000+00:00", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6560ba0b-2190-4d30-b0c4-f07d524ccfde?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/premmerce-woocommerce-brands/tags/1.2.13/src/Admin/Admin.php#L101"}], "descriptions": [{"lang": "en", "value": "The Premmerce Brands for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the saveBrandsSettings function in all versions up to, and including, 1.2.13. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify brand permalink settings."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-12-12T03:20:47.249Z"}}}, "cveMetadata": {"cveId": "CVE-2025-12783", "state": "PUBLISHED", "dateUpdated": "2025-12-15T18:15:15.459Z", "dateReserved": "2025-11-05T22:32:16.722Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-12-12T03:20:47.249Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Premmerce Brands for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the saveBrandsSettings function in all versions up to, and including, 1.2.13. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify brand permalink settings."}], "id": "CVE-2025-12783", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-12-12T04:15:39.780", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/premmerce-woocommerce-brands/tags/1.2.13/src/Admin/Admin.php#L101"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3465319/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6560ba0b-2190-4d30-b0c4-f07d524ccfde?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T17:29:38.586659+00:00", "value": {"mitigation_remediation": ["Upgrade the Premmerce Brands for WooCommerce plugin to a patched version (any release after 1.2.13).", "If an upgrade is not immediately possible, remove the plugin or disable its brand permalink modification functionality.", "Restrict Subscriber and other non\u2011administrator roles so they cannot modify brand permalink settings by adjusting role capabilities or using a custom restriction."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized data modification of brand permalink settings"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Premmerce Brands for WooCommerce WordPress plugin. All releases up to and including version\u202f1.2.13 are impacted. Users of any WordPress installation running these versions are at risk.", "description_and_impact": "The Premmerce Brands for WooCommerce plugin contains a missing capability check in its saveBrandsSettings function. This flaw allows authenticated users with Subscriber-level access or higher to modify brand permalink settings without authorization. As a result, those users can change URLs, potentially disrupting branding, redirecting traffic, or facilitating malicious content targeting visitors. The flaw is a typical example of a missing authorization check (CWE\u2011862).", "risk_and_exploitability": "The CVSS score of 4.3 indicates moderate severity, and the EPSS score of less than 1% suggests exploitation is unlikely at the time. The flaw is not in the CISA KEV catalog. Attackers would need to be authenticated with at least Subscriber privileges; a privilege escalation or compromised account would provide the necessary access."}}}}, "created": "2025-12-12T08:48:13.240640+00:00", "updated": "2026-04-21T17:30:37.704744+00:00", "vendors": ["premmerce", "premmerce$PRODUCT$brands_for_woocommerce", "wordpress", "wordpress$PRODUCT$wordpress"]}