CVE-2025-12783
Unauthorized Data Modification in Premmerce Brands WooCommerce Plugin
Publication date: 2025-12-12
Last updated on: 2026-04-08
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| premmerce | brands_for_woocommerce | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves checking if the Premmerce Brands for WooCommerce plugin version is 1.2.13 or earlier and verifying if unauthorized users with Subscriber-level access can modify brand permalink settings. Since the vulnerability is due to a missing capability check in the saveBrandsSettings function, you can audit the plugin files for this function or test permission boundaries in the WordPress admin. Specific commands are not provided in the resources, but you can use WordPress CLI commands to check plugin versions, e.g., `wp plugin list` to identify the plugin version, and manual testing of user roles attempting to modify brand permalink settings. Additionally, reviewing the plugin's Admin.php file for missing capability checks can help detect the issue. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting user roles to prevent Subscriber-level users from accessing or modifying brand permalink settings until the plugin is updated or patched. You should update the Premmerce Brands for WooCommerce plugin to a version later than 1.2.13 once available. As a temporary workaround, consider applying custom capability checks or access controls in the plugin code, especially in the saveBrandsSettings function, to ensure only authorized users can modify brand settings. [1]
Can you explain this vulnerability to me?
This vulnerability exists in the Premmerce Brands for WooCommerce plugin for WordPress, where a missing capability check in the saveBrandsSettings function allows authenticated users with Subscriber-level access or higher to modify brand permalink settings without proper authorization.
How can this vulnerability impact me? :
An attacker with Subscriber-level access or above could modify brand permalink settings, potentially leading to unauthorized changes in website behavior or content presentation, which could affect site integrity or user experience.