{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-13440", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-11-19T19:06:21.133Z", "datePublished": "2025-12-12T03:20:50.767Z", "dateUpdated": "2026-04-08T17:09:37.959Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:09:37.959Z"}, "affected": [{"vendor": "premmerce", "product": "Premmerce Wishlist for WooCommerce", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.1.10", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Premmerce Wishlist for WooCommerce plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.1.10. This is due to a missing capability check on the deleteWishlist() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary wishlists."}], "title": "Premmerce Wishlist for WooCommerce <= 1.1.10 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Wishlist Deletion", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9347900c-61c2-4d63-885e-e971c646b737?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/premmerce-woocommerce-wishlist/trunk/src/Admin/Admin.php#L334"}, {"url": "https://plugins.trac.wordpress.org/browser/premmerce-woocommerce-wishlist/tags/1.1.10/src/Admin/Admin.php#L334"}, {"url": "https://plugins.trac.wordpress.org/changeset/3426971/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Abhirup Konwar"}], "timeline": [{"time": "2025-12-11T15:05:19.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-12T20:11:44.023221Z", "id": "CVE-2025-13440", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-15T18:13:29.413Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-13440", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-12T20:11:44.023221Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-12T20:13:17.671Z"}}], "cna": {"title": "Premmerce Wishlist for WooCommerce <= 1.1.10 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Wishlist Deletion", "credits": [{"lang": "en", "type": "finder", "value": "Abhirup Konwar"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "premmerce", "product": "Premmerce Wishlist for WooCommerce", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "1.1.10"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-12-11T15:05:19.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9347900c-61c2-4d63-885e-e971c646b737?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/premmerce-woocommerce-wishlist/trunk/src/Admin/Admin.php#L334"}, {"url": "https://plugins.trac.wordpress.org/browser/premmerce-woocommerce-wishlist/tags/1.1.10/src/Admin/Admin.php#L334"}], "descriptions": [{"lang": "en", "value": "The Premmerce Wishlist for WooCommerce plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.1.10. This is due to a missing capability check on the deleteWishlist() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary wishlists."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-12-12T03:20:50.767Z"}}}, "cveMetadata": {"cveId": "CVE-2025-13440", "state": "PUBLISHED", "dateUpdated": "2025-12-15T18:13:29.413Z", "dateReserved": "2025-11-19T19:06:21.133Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-12-12T03:20:50.767Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Premmerce Wishlist for WooCommerce plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.1.10. This is due to a missing capability check on the deleteWishlist() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary wishlists."}], "id": "CVE-2025-13440", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-12-12T04:15:41.997", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/premmerce-woocommerce-wishlist/tags/1.1.10/src/Admin/Admin.php#L334"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/premmerce-woocommerce-wishlist/trunk/src/Admin/Admin.php#L334"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3426971/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9347900c-61c2-4d63-885e-e971c646b737?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T00:15:28.649806+00:00", "value": {"mitigation_remediation": ["Update Premmerce Wishlist for WooCommerce to the latest available version (>=1.1.11) which contains the missing capability check fix.", "If an immediate update is not possible, restrict the deleteWishlist functionality by disabling the plugin\u2019s delete endpoint for Subscriber and lower roles, for example by adding a capability check or removing the delete link for those roles.", "Audit other plugins or custom code for missing capability checks and ensure that only Administrators have the capability to delete wishlists."], "summary": {"action": "Patch", "impact": "Unauthorized Deletion of Wishlists"}, "threat_synthesis": {"affected_systems": "Premmerce Wishlist for WooCommerce, a WordPress plugin, is affected in all releases up to and including version 1.1.10. Any site that has this plugin installed and is running one of those versions is vulnerable.", "description_and_impact": "The Premmerce Wishlist for WooCommerce plugin for WordPress is affected by a missing capability check in its deleteWishlist() function. Authenticated users with Subscriber-level access or higher can invoke this function and delete any wishlist at will. This flaw allows attackers to remove user-generated wishlists without permission, leading to data loss and potential disruption of user experience.", "risk_and_exploitability": "The CVSS v3.1 score of 5.3 indicates a moderate severity, and the EPSS score of < 1% suggests a low likelihood of exploitation in the wild. It is not listed in the CISA KEV catalog. An attacker needs an authenticated WordPress account with Subscriber or higher privileges, and based on the description it is inferred that the attacker can exploit the flaw via the plugin\u2019s delete endpoint, likely through the admin interface or an API call; the attack is local to the site\u2019s host and requires no remote code execution."}}}}, "created": "2025-12-12T08:48:21.742371+00:00", "updated": "2026-04-22T00:30:04.037968+00:00", "vendors": ["premmerce", "premmerce$PRODUCT$wishlist_for_woocommerce", "wordpress", "wordpress$PRODUCT$wordpress"]}