CVE-2026-54849 describes an unauthenticated SQL Injection vulnerability (CWE-89) in Premmerce Wishlist for WooCommerce affecting versions up to 1.1.11. The vulnerability allows remote attackers to inject SQL commands without any authentication or user interaction, resulting in a critical severity rating with a CVSS 3.1 score of 9.3. The impact includes high confidentiality compromise and low availability impact. No vendor advisory or patch information is currently available, and the remediation level is unknown.

The vulnerability enables unauthenticated attackers to execute arbitrary SQL commands on the affected system, potentially leading to unauthorized disclosure of sensitive data (high confidentiality impact) and limited disruption of service (low availability impact). Integrity impact is not indicated. This could compromise the database underlying the Premmerce Wishlist for WooCommerce plugin.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a patch is available, users should consider disabling the affected plugin or restricting access to it to mitigate risk. Monitor official Premmerce communications for updates and apply any official fixes promptly once released.