CVE-2025-12411

Name of the Vulnerable Software and Affected Versions Premmerce Wholesale Pricing for WooCommerce plugin for WordPress versions up to and including 1.1.10

Description The software contains a SQL Injection issue due to insufficient escaping of user-supplied parameters and inadequate preparation of existing SQL queries. This allows authenticated attackers with subscriber-level access or higher to manipulate SQL queries. Exploitation can lead to the extraction of sensitive information from the database and modification of price type display names via the admin-post.php "premmerce update price type" action, resulting in cosmetic corruption of the admin interface. The price type parameter of the "premmerce delete price type" action is also vulnerable. The vulnerable parameter is ID.

Recommendations Update Premmerce Wholesale Pricing for WooCommerce plugin for WordPress to a version later than 1.1.10.