CVE-2025-13440 is a vulnerability classified under CWE-862 (Missing Authorization) found in the Premmerce Wishlist for WooCommerce plugin for WordPress, affecting all versions up to and including 1.1.10. The root cause is the absence of a proper capability check in the deleteWishlist() function, which is responsible for deleting user wishlists. This flaw allows any authenticated user with at least Subscriber-level privileges to invoke this function and delete arbitrary wishlists belonging to other users. Since WooCommerce is a widely used e-commerce platform and Premmerce Wishlist is a popular plugin for managing customer wishlists, this vulnerability can lead to unauthorized modification of user data, specifically the deletion of wishlists without proper authorization. The CVSS v3.1 base score is 5.3 (medium), reflecting that the attack vector is network-based (remote), requires low attack complexity, no privileges beyond subscriber-level, and no user interaction. The impact is limited to integrity loss, as confidentiality and availability are not affected. No patches or known exploits are currently available, but the vulnerability is publicly disclosed and should be addressed promptly. The vulnerability could be exploited by attackers who have gained subscriber-level access, which might be obtained through credential stuffing, phishing, or other means. This makes it important for site administrators to review user roles and permissions and monitor for suspicious activity. The vulnerability affects all versions of the plugin up to 1.1.10, so upgrading to a fixed version (once available) or applying custom authorization checks is recommended.

For European organizations operating e-commerce websites using WooCommerce with the Premmerce Wishlist plugin, this vulnerability can lead to unauthorized deletion of customer wishlists, undermining customer trust and potentially impacting sales and user experience. While it does not expose sensitive data or cause service outages, the integrity breach could result in customer dissatisfaction and reputational damage. Attackers with subscriber-level access—often the lowest authenticated role—can exploit this flaw, increasing the risk if user accounts are compromised or if weak access controls are in place. This could also facilitate further social engineering or privilege escalation attacks. The impact is particularly relevant for mid to large-scale online retailers in Europe who rely on wishlists as part of their customer engagement and sales strategies. Loss of wishlist data may also complicate marketing efforts and analytics. Additionally, regulatory compliance under GDPR requires protecting user data integrity, so failure to address this vulnerability might have legal implications if it leads to data manipulation or loss.

European organizations should immediately audit their WordPress installations to identify the use of the Premmerce Wishlist for WooCommerce plugin and verify the version in use. Until an official patch is released, administrators should implement custom authorization checks in the deleteWishlist() function to ensure only authorized roles (e.g., administrators or shop managers) can delete wishlists. Restricting subscriber-level users from accessing wishlist deletion functionality via role management plugins or custom code is advisable. Monitoring and logging wishlist deletion events can help detect suspicious activity early. Organizations should enforce strong authentication mechanisms, including multi-factor authentication (MFA), to reduce the risk of account compromise at the subscriber level. Regularly updating all WordPress plugins and themes is critical once a patch becomes available. Additionally, consider isolating or disabling the wishlist feature if it is not essential to business operations. Security teams should also educate users about phishing and credential hygiene to prevent unauthorized access.