Premmerce Brands for WooCommerce < 1.2.14 – Missing Authorization To Authenticated (Subscriber+) Brand Permalink Settings Update | CVE 2025-12783 | Plugin Vulnerabilities

Description

The Premmerce Brands for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the saveBrandsSettings function in all versions up to, and including, 1.2.13. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify brand permalink settings.

Affects Plugins

premmerce-woocommerce-brands

Fixed in 1.2.14

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/6560ba0b-2190-4d30-b0c4-f07d524ccfde

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Athiwat Tiprasaharn (Jitlada), Powpy

Verified

No

WPVDB ID

bc1f8c98-81b7-497d-bb2f-0e176383dc6d

Timeline

Publicly Published

2025-12-11 (about 5 months ago)

Added

2025-12-11 (about 5 months ago)

Last Updated

2026-02-25 (about 3 months ago)

Other

Published

Title

Published

2025-11-19

Title

Ultimate Member Widgets for Elementor < 2.4 - Missing Authorization to Unauthenticated Information Exposure

Published

2025-06-19

Title

Kata Plus < 1.5.4 - Missing Authorization

Published

2024-01-04

Title

Cloudflare < 4.12.3 - Missing Authorization via initProxy

Published

2024-04-12

Title

Aspose.Words Exporter <= 6.3.1 - Missing Authorization

Published

2025-03-07

Title

WP-Recall – Registration, Profile, Commerce & More < 16.26.12 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Shortcode Exeuction