CVE-2025-12411 in Premmerce Wholesale Pricing for WooCommerce Plugin
Summary
by MITRE • 11/18/2025
The Premmerce Wholesale Pricing for WooCommerce plugin for WordPress is vulnerable to SQL Injection via the 'ID' parameter in versions up to, and including, 1.1.10. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with subscriber level access and above, to manipulate SQL queries that can be used to extract sensitive information from the database and modify price type display names in the database via the admin-post.php "premmerce_update_price_type" action, causing cosmetic corruption of the admin interface. The 'price_type' parameter of the "premmerce_delete_price_type" is also vulnerable.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 11/18/2025
The CVE-2025-12411 vulnerability affects the Premmerce Wholesale Pricing for WooCommerce plugin, a widely used WordPress extension that enables wholesale pricing functionality for e-commerce stores. This vulnerability represents a critical security flaw that allows authenticated attackers with subscriber-level privileges or higher to execute malicious SQL injection attacks against the underlying database. The vulnerability specifically manifests through improper input validation and sanitization within the plugin's database interaction mechanisms, creating an exploitable pathway for data manipulation and unauthorized access.
The technical flaw stems from insufficient escaping of user-supplied parameters, particularly the 'ID' parameter that flows directly into SQL queries without proper preparation or sanitization. This weakness aligns with CWE-89, which categorizes SQL injection vulnerabilities as a critical threat to database security. The vulnerability exists within the plugin's admin-post.php endpoint where two distinct actions are affected: premmerce_update_price_type and premmerce_delete_price_type. The 'price_type' parameter in the delete action presents an identical vulnerability pattern, demonstrating a systemic flaw in how the plugin handles user input for database operations.
Attackers exploiting this vulnerability can leverage their authenticated access to manipulate database queries and extract sensitive information from the WordPress database. The impact extends beyond simple data exfiltration to include the ability to modify price type display names within the database, which causes cosmetic corruption of the administrative interface. This corruption can obscure important pricing information and potentially mislead both administrators and customers about product pricing. The vulnerability affects all versions up to and including 1.1.10, indicating a prolonged period during which this security flaw remained undetected and exploitable within the plugin's codebase.
The operational impact of this vulnerability is significant for WordPress administrators who rely on the Premmerce plugin for their wholesale pricing operations. Attackers with minimal privileges can potentially access customer data, product information, and pricing structures that should remain protected. This vulnerability falls under the ATT&CK technique T1078.004, which covers legitimate credentials and the use of compromised accounts for persistence and privilege escalation. The affected plugin's database interactions create a vector for attackers to perform unauthorized modifications that could impact business operations and customer trust.
Organizations should implement immediate mitigations including updating to the latest plugin version where this vulnerability has been patched, implementing additional input validation measures, and monitoring database access logs for suspicious activity. The vulnerability demonstrates the importance of proper parameter preparation and input sanitization in web applications, particularly those handling sensitive business data. Security teams should also consider implementing web application firewalls and database activity monitoring solutions to detect and prevent exploitation attempts. This vulnerability highlights the critical need for regular security audits and proper code review processes to identify and remediate SQL injection vulnerabilities before they can be exploited by malicious actors.