Security Alert Summary
The Premmerce plugin for WordPress contains a stored cross-site scripting (XSS) vulnerability in the premmerce_wizard_actions AJAX endpoint. Missing capability checks and insufficient input sanitization and output escaping on the state parameter allow authenticated users (subscriber level and above) to inject scripts that execute when the Premmerce Wizard admin page is viewed.
CVE Details
- CVE ID: CVE-2026-0555
- Affected component: Premmerce plugin for WordPress
- Affected versions: All versions up to, and including, 1.3.20
- Published: February 7, 2026 9:15:59 AM
- Last Modified: February 7, 2026 9:15:59 AM
- CVSS v3.1: Base Score 6.4 (MEDIUM) — Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N - Authentication / Privileges / User Interaction: Authenticated attacker required; privileges required: LOW (subscriber-level and above); user interaction: NONE
- Primary impact: Confidentiality: LOW; Integrity: LOW; Availability: NONE
- CWE: CWE-79 (Improper Neutralization of Input During Web Page Generation — Stored XSS)
Technical Details
The vulnerability is a stored cross-site scripting issue originating from the plugin’s premmerce_wizard_actions AJAX endpoint. The state parameter is processed without sufficient input sanitization and the output is not properly escaped before rendering on the Premmerce Wizard admin page. In addition, the endpoint lacks appropriate capability checks to restrict access.
Because the endpoint accepts input from authenticated users with subscriber-level access and above and stores content that is later rendered on an admin-facing page, an attacker with the required privileges can inject arbitrary web scripts. Those scripts will execute whenever a user loads the affected Premmerce Wizard admin page, allowing script execution in the context of the victim’s browser.
How This Could Impact Your Website
Consider a typical site with multiple WordPress users: a site owner or administrator, internal staff with editor or author roles, and external contributors or contractors with subscriber-level access. If a subscriber or other low-privilege user is able to submit a crafted value to the state parameter, that script could be stored and later executed when an administrator or other user opens the Premmerce Wizard page.
Practical consequences consistent with the reported impacts include limited disclosure of information available to the browser session (for example, user-visible data such as internal user names or email addresses) and the increased risk of targeted phishing or social engineering directed at site staff. This vulnerability does not, based on the provided information, imply full site takeover, but it can be used to perform actions in the context of an affected user’s session or to exfiltrate data accessible to that session.
If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review.
Recommended Actions
- Update the affected plugin as soon as a patched version is available (no fixed version is specified in the CVE entry).
- Review and reduce unnecessary user roles and capabilities, especially for contributor and subscriber accounts.
- Enforce strong passwords and two-factor authentication for editors and administrators.
- Remove unused or unmaintained plugins from your site.
- Monitor site activity and logs for unusual behavior, particularly actions related to the Premmerce Wizard or AJAX endpoints.
If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.
References
- https://plugins.trac.wordpress.org/browser/premmerce/tags/1.3.20/src/Admin/Admin.php?marks=41#L41
- https://plugins.trac.wordpress.org/browser/premmerce/tags/1.3.20/src/Admin/Handlers/WizardHandler.php?marks=42,50,52#L42
- https://plugins.trac.wordpress.org/browser/premmerce/tags/1.3.20/src/Api/WizardApi.php?marks=38#L38
- https://plugins.trac.wordpress.org/browser/premmerce/tags/1.3.20/views/admin/tabs/wizard.php?marks=30#L30
- https://www.wordfence.com/threat-intel/vulnerabilities/id/90b2a644-19a0-43a1-8ff6-7486d7ef29b3?source=cve