CVE-2025-64285 identifies a missing authorization vulnerability in the Premmerce Wholesale Pricing plugin for WooCommerce, specifically versions up to and including 1.1.10. This vulnerability arises from incorrectly configured access control security levels, allowing users with limited privileges (PR:L) to perform actions they should not be authorized to execute. The vulnerability does not require user interaction (UI:N) and can be exploited remotely (AV:N). The scope of the vulnerability is unchanged (S:U), meaning the impact is limited to the privileges of the exploited user. The CVSS base score is 5.4, reflecting a medium severity level, with impacts primarily on confidentiality and integrity but no impact on availability. The flaw could allow attackers to access or modify wholesale pricing data or related sensitive information, potentially leading to business logic manipulation or data leakage. No public exploits have been reported yet, but the vulnerability is published and should be addressed promptly. Premmerce Wholesale Pricing is a plugin used to manage wholesale pricing tiers in WooCommerce, a popular e-commerce platform. The plugin’s market penetration in Europe is significant due to WooCommerce’s widespread use among small and medium-sized online retailers. The vulnerability stems from missing or improperly enforced authorization checks within the plugin’s code, which could be exploited by authenticated users with limited privileges to escalate their access or perform unauthorized operations.

For European organizations, particularly e-commerce businesses using WooCommerce with the Premmerce Wholesale Pricing plugin, this vulnerability poses a risk of unauthorized access to wholesale pricing configurations and potentially sensitive business data. Confidentiality could be compromised if attackers access pricing tiers or customer data not intended for their role. Integrity risks arise if attackers modify pricing data, potentially causing financial discrepancies or reputational damage. Although availability is not impacted, the business impact could be significant due to loss of trust or financial harm. The vulnerability requires some level of authenticated access, so external attackers would need to compromise or have access to user accounts with limited privileges first. This makes insider threats or compromised credentials a key risk vector. Given the importance of e-commerce in Europe and the reliance on WooCommerce, the vulnerability could affect a broad range of retailers, from small shops to larger wholesalers. The absence of known exploits in the wild reduces immediate risk but does not eliminate the need for rapid mitigation.

1. Monitor Premmerce’s official channels for security patches addressing CVE-2025-64285 and apply updates immediately upon release. 2. Until patches are available, restrict access to the Premmerce Wholesale Pricing plugin features to only trusted users with a strict need-to-know basis. 3. Conduct a thorough audit of user roles and permissions in WooCommerce, ensuring that users have the minimum necessary privileges, especially regarding wholesale pricing management. 4. Implement multi-factor authentication (MFA) for all users with access to WooCommerce admin functions to reduce the risk of compromised credentials. 5. Use Web Application Firewalls (WAFs) with custom rules to detect and block suspicious requests targeting the plugin’s endpoints. 6. Regularly review logs for unusual access patterns or unauthorized attempts to modify wholesale pricing data. 7. Educate staff on the importance of safeguarding credentials and recognizing phishing attempts that could lead to account compromise. 8. Consider isolating the WooCommerce environment or using containerization to limit the blast radius of any potential exploitation.