External risk intelligence

Premmerce Wishlist for WooCommerce SQL Injection

CVE advisorySeverity: CRITICAL (CVSS 9.3)

CVE-2026-54849

The vulnerability affects a WordPress plugin designed to add wishlist functionality to public-facing e-commerce websites. Because WooCommerce stores are by design public-facing web applications intended for customer interaction, this component is commonly exposed to the internet.

SQL Injection

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A security vulnerability has been identified in a popular e-commerce plugin that could allow unauthorized access to sensitive data. The issue is a type of SQL injection, which, if exploited, could potentially lead to the exposure of customer information stored in the database. The main concern at this time is confirming whether this plugin is in use and if it is exposed to the internet.

  • Unauthenticated data access risk in e-commerce plugin.
  • Threat to customer data if plugin is exposed.
  • Confirm usage and internet exposure.

Attack Path

How an attacker could exploit the issue

An unauthenticated attacker could exploit this vulnerability by sending specially crafted SQL queries to a vulnerable e-commerce site that uses the Premmerce Wishlist for WooCommerce plugin. This could allow them to access or manipulate sensitive database information, potentially leading to data breaches or service disruptions.

  • No authentication required.
  • Malicious SQL injection.
  • Database compromise and disruption.

Live Threat

Current exploitation, exposure, and threat context

An unauthenticated SQL injection vulnerability in the Premmerce Wishlist for WooCommerce plugin could allow an attacker to access or manipulate data within the WordPress database. This could occur when the plugin processes user input without proper sanitization, potentially impacting the integrity and confidentiality of stored information.

  • Stored customer and order data.
  • Via crafted network requests.
  • Unauthorized data access or modification.

Operational Fix

Recommended remediation, mitigation, and detection steps

This SQL injection vulnerability in the Premmerce Wishlist for WooCommerce plugin impacts e-commerce sites running this extension. Given its presence in a public-facing WooCommerce plugin, ownership likely falls to the e-commerce platform team or the application owner responsible for the WooCommerce instance. The immediate practical step is to identify all instances of this plugin, assess their exposure and business criticality, and then coordinate remediation with the vendor or internal development teams.

  • E-commerce platform or application owners.
  • Verify plugin usage and internet exposure.
  • Plan vendor-coordinated remediation.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is Premmerce Wishlist for WooCommerce?

It is a WordPress plugin designed to add wishlist features to online stores. By integrating with WooCommerce, it allows shoppers to save items for later purchase, making it a functional component for public-facing e-commerce websites.

What does CVE-2026-54849 mean by SQL injection?

This vulnerability, classified as CWE-89, occurs when software fails to properly sanitize user-supplied data before including it in database queries. In this case, it allows an unauthenticated party to inject their own database commands into the plugin's processes, potentially accessing or altering sensitive information stored in your WordPress database.

How can an attacker trigger this vulnerability?

An attacker triggers this flaw by sending specially crafted network requests to a site running the vulnerable plugin. No authentication or login credentials are required to initiate these requests. It is important to note that simply visiting the site or browsing existing wishlists does not trigger the bug; the attacker must deliberately submit malicious input designed to interact with the database.

Is my site relevant to this CVE?

If you operate a WooCommerce store using this plugin, your site is likely relevant. According to Halo Surface Signal, this component is commonly exposed to the internet because WooCommerce stores are intentionally designed for public customer interaction, which increases the likelihood that your instance is reachable by potential attackers.

What should I do if I run this plugin?

First, identify all instances of this plugin within your e-commerce environment. Once located, assess the business criticality of those sites and their internet exposure. Coordinate with your development team or the plugin vendor to monitor for authorized updates or guidance on securing the database connection.

References