CVE-2025-64288

A Cross-Site Request Forgery (CSRF) vulnerability exists in the Premmerce plugin for WordPress, affecting versions from n/a through 1.3.19. This flaw enables an attacker to trick a higher-privileged user, such as an administrator, into executing unintended actions while authenticated, by crafting malicious links or forms that leverage the user's active session [1].

The vulnerability does not require any special privileges from the attacker, but successful exploitation depends on user interaction—a privileged user must click a malicious link, visit a crafted page, or submit a form that triggers a forged request. This attack vector can be used in mass-exploit campaigns targeting multiple websites running the vulnerable plugin version [1].

If exploited, the CSRF vulnerability could allow an attacker to force the targeted user to perform unwanted administrative or other actions under their current authentication level, potentially leading to unauthorized changes in the WordPress site configuration or data. The CVSS v3 base score is 4.3, indicating a medium severity with low exploit complexity but requiring user interaction [1].

As a mitigation, the vendor has released version 1.3.20 which resolves the vulnerability. Users are strongly advised to update to 1.3.20 or later. Patchstack users can also enable auto-updates for vulnerable plugins. The vulnerability is considered low severity and unlikely to be exploited in the wild, but prompt updating is recommended [1].