CVE-2025-13440 identifies a missing authorization vulnerability (CWE-862) in the Premmerce Wishlist for WooCommerce plugin for WordPress, affecting all versions up to and including 1.1.10. The vulnerability stems from the absence of a capability check within the deleteWishlist() function, which is responsible for removing wishlist entries. This flaw allows any authenticated user with at least Subscriber-level privileges to invoke this function and delete arbitrary wishlists belonging to other users. Since Subscriber-level access is commonly granted to registered users on WordPress sites, the attack surface is relatively broad. The vulnerability does not require elevated privileges beyond Subscriber, nor does it require user interaction, making exploitation straightforward for authenticated users. The impact is limited to integrity, as attackers can delete wishlist data but cannot access confidential information or disrupt site availability. The CVSS v3.1 score of 5.3 reflects a medium severity, considering the ease of exploitation and limited impact scope. No patches or known exploits are currently reported, but the vulnerability is publicly disclosed and should be addressed promptly. The flaw is particularly relevant for e-commerce websites using WooCommerce with the Premmerce Wishlist plugin, as wishlists are valuable for customer engagement and sales strategies. Attackers could disrupt customer experience by deleting wishlists, potentially causing reputational damage and loss of sales.

For European organizations operating WooCommerce-based e-commerce platforms, this vulnerability can lead to unauthorized deletion of customer wishlists, undermining customer trust and potentially reducing sales conversion rates. While it does not expose sensitive personal data or cause service outages, the integrity compromise can affect user experience and brand reputation. Retailers relying on wishlists for marketing and customer retention may see diminished effectiveness of these features. Additionally, attackers with Subscriber-level access could exploit this flaw to target specific users or conduct harassment by deleting their wishlists. The impact is more pronounced in countries with high e-commerce penetration and widespread WooCommerce usage, where customer engagement tools like wishlists are integral to business operations. Organizations may face increased support costs and customer dissatisfaction if wishlists are manipulated maliciously. Although no known exploits exist yet, the public disclosure increases the risk of exploitation attempts, especially by insiders or compromised accounts.

Since no official patches are currently available, European organizations should implement immediate compensating controls. These include: 1) Restricting Subscriber-level user registrations to trusted users only, minimizing the risk of malicious insiders or compromised accounts; 2) Applying custom code or plugins to enforce capability checks on the deleteWishlist() function, ensuring only authorized roles (e.g., Administrators or Shop Managers) can delete wishlists; 3) Monitoring logs for unusual wishlist deletion activity to detect potential exploitation; 4) Educating site administrators to review user roles and permissions regularly; 5) Keeping WordPress core, WooCommerce, and all plugins up to date to reduce attack surface; 6) Preparing to apply official patches or updates from Premmerce promptly once released; 7) Considering temporary disabling of the wishlist feature if the risk is unacceptable until a fix is applied. These targeted measures go beyond generic advice by focusing on role management and function-level authorization enforcement specific to this vulnerability.