CVE-2025-13440 identifies a Missing Authorization vulnerability (CWE-862) in the Premmerce Wishlist for WooCommerce plugin for WordPress, specifically in all versions up to and including 1.1.10. The vulnerability stems from the absence of a capability check in the deleteWishlist() function, which is responsible for handling wishlist deletions. This flaw allows any authenticated user with at least Subscriber-level privileges to invoke this function and delete arbitrary wishlists belonging to other users. Since Subscriber-level access is commonly granted to registered users on WordPress sites, this vulnerability significantly lowers the barrier for exploitation. The vulnerability does not require elevated privileges such as Administrator or Editor roles, nor does it require additional user interaction beyond authentication. The CVSS 3.1 base score is 5.3 (medium severity), reflecting the fact that the attack vector is network-based, with low attack complexity, no privileges required beyond Subscriber, no user interaction, and impacts only integrity without affecting confidentiality or availability. No patches or fixes have been published at the time of disclosure, and no known exploits are reported in the wild. The vulnerability could be exploited to disrupt user experience and trust by deleting wishlists, which may impact e-commerce operations relying on this plugin. The plugin is widely used in WooCommerce-powered WordPress e-commerce sites, making this vulnerability relevant to a broad range of online retailers.

The primary impact of CVE-2025-13440 is the unauthorized deletion of wishlist data, which compromises data integrity and user trust. While it does not expose sensitive information or cause denial of service, the ability for low-privileged authenticated users to delete arbitrary wishlists can disrupt customer experience and potentially lead to loss of sales or customer dissatisfaction. For e-commerce businesses relying on wishlists as part of their sales funnel, this could translate into reduced revenue and reputational damage. Additionally, attackers could use this vulnerability to target specific users or perform harassment by deleting their saved items. Since the vulnerability requires only Subscriber-level access, it can be exploited by any registered user or potentially by attackers who create accounts on the affected sites. The scope is limited to sites using the Premmerce Wishlist plugin, but given WooCommerce's significant market share in e-commerce, the affected population is substantial. The lack of patches increases the window of exposure, and organizations may face operational challenges until a fix is available.

To mitigate CVE-2025-13440, organizations should implement the following specific actions: 1) Immediately audit user roles and permissions to ensure that Subscriber-level users have minimal capabilities and consider restricting account creation if possible. 2) Temporarily disable or remove the Premmerce Wishlist plugin until a patch is released, especially if wishlists are not critical to business operations. 3) Monitor logs for suspicious wishlist deletion activities, focusing on actions performed by Subscriber-level users. 4) Implement web application firewall (WAF) rules to detect and block unauthorized requests targeting the deleteWishlist() function or related endpoints. 5) Engage with the plugin vendor or community to track the release of security patches and apply updates promptly. 6) Consider custom development or patching to add capability checks on the deleteWishlist() function if immediate patching is not available. 7) Educate site administrators and users about the risk and encourage strong authentication practices to prevent account compromise. These measures go beyond generic advice by focusing on role auditing, monitoring, and temporary disabling of the vulnerable component.