How is CVE-2026-54849 exploited?

Network reachability (required): The vulnerable plugin endpoint is exposed over the network, so an attacker must be able to send HTTP requests to the target WordPress installation. Authentication (not-required): No account or session token is needed; the injection can be triggered by any unauthenticated HTTP request. Victim interaction (not-required): The attacker does not need to trick any user into taking an action; exploitation is fully server-side. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no special race conditions, memory layout knowledge, or environmental pre-conditions.

What is the impact of CVE-2026-54849?

An attacker can read arbitrary rows from the WordPress database, including stored user credentials (hashed passwords), email addresses, WooCommerce order records, and wishlist data. If the database user has access to other schemas or linked tables, the read scope extends beyond the WordPress installation itself. The A:L (low availability impact) rating means the injection can also degrade database or application responsiveness, causing partial service disruption for end users.

Back to search

CRITICALCVE-2026-54849Published 2026-06-25Modified 2026-06-25CNA Patchstack

CVE-2026-54849: WordPress Premmerce Wishlist for WooCommerce plugin <= 1.1.11 - SQL Injection vulnerability

Q: What is CVE-2026-54849?

This is an unauthenticated SQL injection vulnerability in the Premmerce Wishlist for WooCommerce WordPress plugin, affecting all versions up to and including 1.1.11. The flaw is reachable over the network with no authentication required and no user interaction needed, making it trivially exploitable by any remote attacker. Successful exploitation gives the attacker read access to the underlying database, exposing stored records, and can cause partial service disruption. No fix has been published yet; HarborGuard is tracking the advisory for patch availability.

Q: Is CVE-2026-54849 patched?

Because no upstream fix version has been published for this CVE, no patched-image rebuild is currently available. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment Premmerce or Patchstack publishes a remediated release.

Unauthenticated SQL Injection in Premmerce Wishlist for WooCommerce <= 1.1.11 versions.

CVSS v3.1: 9.3
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

This is an unauthenticated SQL injection vulnerability in the Premmerce Wishlist for WooCommerce WordPress plugin, affecting all versions up to and including 1.1.11. The flaw is reachable over the network with no authentication required and no user interaction needed, making it trivially exploitable by any remote attacker. Successful exploitation gives the attacker read access to the underlying database, exposing stored records, and can cause partial service disruption. No fix has been published yet; HarborGuard is tracking the advisory for patch availability.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds, including the Patchstack advisory feed, within minutes of publication and matched against customer images that include this plugin, covering both registry-hosted and custom-built images. Any image found to contain an affected version of the Premmerce Wishlist for WooCommerce plugin is flagged automatically.

Available

Triage

HarborGuard scores this CVE at 9.3 Critical using the published CVSS v3.1 vector and surfaces it with that severity in each customer org's findings dashboard. Per-environment compliance policy weighting is applied, and the finding is routed to the team inbox configured for critical-severity WordPress or WooCommerce component alerts within that org.

Available

Patch

Because no upstream fix version has been published for this CVE, no patched-image rebuild is currently available. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment Premmerce or Patchstack publishes a remediated release.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable plugin endpoint is exposed over the network, so an attacker must be able to send HTTP requests to the target WordPress installation.
AuthenticationNot required
No account or session token is needed; the injection can be triggered by any unauthenticated HTTP request.
Victim interactionNot required
The attacker does not need to trick any user into taking an action; exploitation is fully server-side.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special race conditions, memory layout knowledge, or environmental pre-conditions.

Blast Radius

An attacker can read arbitrary rows from the WordPress database, including stored user credentials (hashed passwords), email addresses, WooCommerce order records, and wishlist data.
If the database user has access to other schemas or linked tables, the read scope extends beyond the WordPress installation itself.
The A:L (low availability impact) rating means the injection can also degrade database or application responsiveness, causing partial service disruption for end users.

How HarborGuard Handles This

Available on HarborGuard: this CVE is tracked continuously against all customer images that bundle the Premmerce Wishlist for WooCommerce plugin at version 1.1.11 or earlier. Because no upstream patch exists, the recommended interim compensating controls include applying a web application firewall rule to block or sanitize requests to the affected plugin endpoints, restricting network-policy egress from the WordPress container to limit what the database connection can reach, and disabling the wishlist feature via its plugin settings or a feature flag if the functionality is not critical to current operations. HarborGuard will re-evaluate the advisory on each ingest cycle and, the moment a fix version is published, a patched-image rebuild becomes available automatically; customers with auto-remediation enabled will receive the rebuild, a regression-test run, and a PR opened against affected workloads without manual intervention.

See how HarborGuard automates this

Affected packages

Premmerce / Premmerce Wishlist for WooCommerce
≤ 1.1.11

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L

References

patchstack.com

Metrics

Get notified