CVE-2026-54849
Deferred Deferred - Pending Action
Unauthenticated SQL Injection in Premmerce Wishlist for WooCommerce

Publication date: 2026-06-25

Last updated on: 2026-06-25

Assigner: Patchstack

Description
Unauthenticated SQL Injection in Premmerce Wishlist for WooCommerce <= 1.1.11 versions.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-25
Last Modified
2026-06-25
Generated
2026-06-25
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-54849
EUVD
EUVD-2026-39373
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
premmerce woocommerce_wishlist to 1.1.11 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-54849 is an unauthenticated SQL Injection vulnerability found in the Premmerce Wishlist for WooCommerce plugin versions 1.1.11 and earlier.

This flaw allows attackers to interact directly with the website's database without needing to log in or have any privileges.

Because it is an injection vulnerability, it falls under the OWASP Top 10 category A3: Injection.

The vulnerability has a critical severity score of 9.3 (CVSS v3.1), indicating a high risk to affected systems.

Impact Analysis

This vulnerability can have serious impacts because it allows attackers to execute SQL commands on your website's database without authentication.

Attackers could potentially steal sensitive information stored in the database.

It may also lead to partial denial of service or data corruption, as indicated by the CVSS vector showing high confidentiality impact and low availability impact.

Since the vulnerability is exploitable remotely and without any user interaction, it poses a critical risk to website security.

Compliance Impact

This vulnerability allows unauthenticated attackers to perform SQL Injection attacks on the Premmerce Wishlist for WooCommerce plugin, potentially leading to unauthorized access and theft of sensitive information from the website's database.

Such unauthorized access and data breaches can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access and breaches.

Failure to address this vulnerability could result in violations of these regulations, leading to legal and financial consequences for affected organizations.

Detection Guidance

The vulnerability is an unauthenticated SQL Injection in Premmerce Wishlist for WooCommerce versions 1.1.11 and earlier. Detection typically involves monitoring for suspicious HTTP requests that attempt to exploit SQL Injection flaws.

While specific commands are not provided in the resources, common detection methods include using web application firewalls (WAF) with rules to detect SQL Injection patterns, or analyzing web server logs for unusual query parameters or payloads.

Patchstack has provided a mitigation rule to block attacks until the plugin is updated, which can also aid in detection by logging blocked attempts.

Mitigation Strategies

The immediate and recommended step to mitigate this vulnerability is to update the Premmerce Wishlist for WooCommerce plugin to version 1.1.12 or later, where the SQL Injection flaw has been patched.

Until the update can be applied, users are strongly advised to implement the mitigation rule provided by Patchstack to block attack attempts targeting this vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54849. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart