CVE-2025-62890
Description
Cross-Site Request Forgery (CSRF) vulnerability in Premmerce Premmerce Brands for WooCommerce premmerce-woocommerce-brands allows Cross Site Request Forgery.This issue affects Premmerce Brands for WooCommerce: from n/a through <= 1.2.13.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A CSRF vulnerability in Premmerce Brands for WooCommerce (≤1.2.13) allows attackers to force privileged users into unwanted actions without consent.
Vulnerability
Overview
The Premmerce Brands for WooCommerce plugin for WordPress (versions through 1.2.13) contains a Cross-Site Request Forgery (CSRF) vulnerability [1]. This web security flaw arises because the plugin does not properly validate or enforce anti-CSRF tokens when processing state-changing requests — a common omission that leaves authenticated sessions unprotected from forged submissions [1]. A CSRF token check, which would normally confirm the intentionality of a privileged user's action, is absent in the affected code paths [1].
Exploitation
Prerequisites
Exploitation of this CVE requires user interaction from a privileged account (such as an administrator or editor) [1]. An attacker prepares a specially crafted page, email link, or form that, when visited or clicked by the logged-in user, silently submits a forged request to the target WordPress site [1]. No other authentication is needed: the attack piggybacks on the victim's existing browser session granted by WordPress cookies [1]. The attacker must also have some vector to deliver the malicious link to the target user; however, common channels (social engineering, compromised comments, or embedded content) suffice [1].
Impact
A successful CSRF exploit allows the attacker to force the victim's browser to execute arbitrary actions on the WordPress site as that privileged user — for example, changing plugin settings, assigning product brand terms, or managing other plugin-specific configurations that require elevated privileges [1]. While this does not grant direct code execution or data exfiltration, it compromises the integrity of the site's administrative operations by performing unwanted actions under the victim's identity [1]. The CVSS v3 base score for this vulnerability is 4.3 (Medium), reflecting the requirement for user interaction and the limited scope of impact [1].
Mitigation
The developers have addressed this issue in version 1.2.14 of the plugin [1]. All users are strongly advised to update to this latest release immediately. For sites using Patchstack or similar managed patching services, auto-updates for vulnerable plugins can be enabled to streamline remediation [1]. As a general security best practice, administrators should avoid clicking on unsolicited links while logged into sensitive WordPress accounts, and implement robust CSRF protections on any custom plugin code [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2<=1.2.13+ 1 more
- (no CPE)range: <=1.2.13
- (no CPE)range: <=1.2.13
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.