CVE-2025-12783
Unknown Unknown - Not Provided

Unauthorized Data Modification in Premmerce Brands WooCommerce Plugin

Vulnerability report for CVE-2025-12783, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2025-12-12

Last updated on: 2026-04-08

Assigner: Wordfence

Description

The Premmerce Brands for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the saveBrandsSettings function in all versions up to, and including, 1.2.13. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify brand permalink settings.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2025-12-12
Last Modified
2026-04-08
Generated
2026-07-06
AI Q&A
2025-12-12
EPSS Evaluated
2026-07-05
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
premmerce brands_for_woocommerce *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Detection Guidance

Detection of this vulnerability involves checking if the Premmerce Brands for WooCommerce plugin version is 1.2.13 or earlier and verifying if unauthorized users with Subscriber-level access can modify brand permalink settings. Since the vulnerability is due to a missing capability check in the saveBrandsSettings function, you can audit the plugin files for this function or test permission boundaries in the WordPress admin. Specific commands are not provided in the resources, but you can use WordPress CLI commands to check plugin versions, e.g., `wp plugin list` to identify the plugin version, and manual testing of user roles attempting to modify brand permalink settings. Additionally, reviewing the plugin's Admin.php file for missing capability checks can help detect the issue. [1]

Executive Summary

This vulnerability exists in the Premmerce Brands for WooCommerce plugin for WordPress, where a missing capability check in the saveBrandsSettings function allows authenticated users with Subscriber-level access or higher to modify brand permalink settings without proper authorization.

Impact Analysis

An attacker with Subscriber-level access or above could modify brand permalink settings, potentially leading to unauthorized changes in website behavior or content presentation, which could affect site integrity or user experience.

Mitigation Strategies

Immediate mitigation steps include restricting user roles to prevent Subscriber-level users from accessing or modifying brand permalink settings until the plugin is updated or patched. You should update the Premmerce Brands for WooCommerce plugin to a version later than 1.2.13 once available. As a temporary workaround, consider applying custom capability checks or access controls in the plugin code, especially in the saveBrandsSettings function, to ensure only authorized users can modify brand settings. [1]

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-12783. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart