CVE-2026-54849 in Wishlist for WooCommerce Plugin
Summary
by MITRE • 06/25/2026
Unauthenticated SQL Injection in Premmerce Wishlist for WooCommerce <= 1.1.11 versions.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 06/25/2026
This vulnerability exists in the Premmerce Wishlist plugin for WooCommerce versions up to and including 1.1.11 where an unauthenticated attacker can execute arbitrary SQL commands through a flaw in input validation. The vulnerability stems from insufficient sanitization of user-supplied data in the plugin's wishlist functionality, specifically within parameters that are directly incorporated into database queries without proper escaping or parameterization. This allows malicious actors to manipulate database operations by injecting SQL code through crafted requests targeting the wishlist endpoints.
The technical implementation of this vulnerability follows a classic sql injection pattern where user input from http parameters is concatenated directly into sql query strings. The affected plugin does not properly validate or escape data before incorporating it into database queries, creating an opportunity for attackers to exploit the weakness by submitting malicious payloads that alter the intended query execution flow. This type of vulnerability maps directly to CWE-89 which categorizes improper neutralization of special elements used in SQL commands as a fundamental flaw in database interaction design.
The operational impact of this vulnerability is significant as it allows unauthenticated remote code execution capabilities without requiring any valid user credentials or administrative privileges. Attackers can leverage this weakness to extract sensitive data from the database including customer information, product details, and potentially administrative credentials. The vulnerability affects the core functionality of the ecommerce platform by enabling data manipulation, theft, and potential system compromise through direct database access. This represents a critical risk for online stores relying on the plugin as it undermines the fundamental security assumptions of the web application.
Security mitigations for this vulnerability should include immediate patching to version 1.1.12 or later where the input validation has been properly implemented. Organizations should also implement proper parameterized queries and input sanitization practices across all database interactions within their applications. Additional defensive measures include implementing web application firewalls to detect and block suspicious sql injection patterns, monitoring database query logs for anomalous activity, and conducting regular security assessments of third-party plugins. The vulnerability aligns with attack techniques documented in the mitre att&ck framework under the category of command and control through data manipulation and credential theft attacks that exploit weak input validation controls.