CVE-2025-64288 Overview
CVE-2025-64288 is a Cross-Site Request Forgery (CSRF) vulnerability [CWE-352] affecting the Premmerce WordPress plugin. The flaw impacts all versions from initial release through 1.3.19. An attacker can trick an authenticated user into submitting a forged request that performs unintended actions within the plugin. Successful exploitation requires user interaction, such as clicking a crafted link or visiting an attacker-controlled page.
The vulnerability carries a CVSS 3.1 base score of 4.3 (Medium). The current EPSS probability is 0.117%, placing it in a low-likelihood exploitation range. No public proof-of-concept or in-the-wild exploitation has been reported.
Critical Impact
An attacker can leverage a forged request to alter Premmerce plugin state on behalf of an authenticated WordPress user, resulting in low-impact integrity changes.
Affected Products
- Premmerce WordPress plugin versions up to and including 1.3.19
- WordPress installations with the Premmerce plugin enabled
- Sites relying on Premmerce for e-commerce functionality
Discovery Timeline
- 2025-10-29 - CVE-2025-64288 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-64288
Vulnerability Analysis
The Premmerce plugin fails to validate the origin or authenticity of state-changing HTTP requests. WordPress plugins are expected to use nonces (wp_nonce_field, check_admin_referer, or wp_verify_nonce) to bind sensitive actions to a specific user session. When these controls are missing or improperly implemented, browsers will silently attach the victim's authentication cookies to attacker-crafted requests.
The issue is tracked as CWE-352 (Cross-Site Request Forgery). Exploitation requires an authenticated WordPress user to visit an attacker-controlled page while logged in. The forged request executes with the victim's privileges against the vulnerable Premmerce endpoint.
Root Cause
The root cause is the absence or improper validation of anti-CSRF tokens on one or more state-changing actions exposed by the Premmerce plugin through version 1.3.19. Without token verification, the plugin cannot distinguish legitimate user-initiated requests from requests forged by third-party origins.
Attack Vector
The attack vector is network-based and requires user interaction. An attacker hosts a malicious page containing an auto-submitting form or crafted image tag pointing at the vulnerable Premmerce endpoint. When an authenticated WordPress user visits the page, the browser transmits session cookies with the request. The plugin processes the request as legitimate, allowing the attacker to modify plugin data or configuration within the victim's privilege scope.
For technical details, refer to the Patchstack Vulnerability Advisory.
Detection Methods for CVE-2025-64288
Indicators of Compromise
- Unexpected changes to Premmerce plugin settings or product data without corresponding admin session activity
- WordPress access logs showing POST requests to Premmerce endpoints with external Referer headers
- Administrator accounts reporting unfamiliar page visits shortly before configuration changes
- Requests to plugin action handlers lacking a valid _wpnonce parameter
Detection Strategies
- Review web server logs for POST requests to /wp-admin/admin.php or /wp-admin/admin-ajax.php targeting Premmerce actions with cross-origin Referer values
- Compare plugin configuration state against a known-good baseline on a scheduled basis
- Enable WordPress audit logging to capture user-initiated administrative changes and correlate with browser session context
Monitoring Recommendations
- Alert on state-changing requests to Premmerce endpoints missing the _wpnonce token
- Track authenticated administrator activity for anomalous request patterns immediately following outbound browsing
- Forward WordPress and web server logs to a centralized SIEM for correlation across sessions and origins
How to Mitigate CVE-2025-64288
Immediate Actions Required
- Update the Premmerce plugin to a version later than 1.3.19 once the vendor releases a fix
- Audit administrator accounts and review recent configuration changes for signs of forged requests
- Enforce least privilege on WordPress accounts to limit the actions available through a CSRF attack
Patch Information
At the time of NVD publication, the vulnerability affected Premmerce versions up to and including 1.3.19. Administrators should monitor the Patchstack Vulnerability Advisory and the official Premmerce plugin repository for a patched release and apply it promptly.
Workarounds
- Deactivate the Premmerce plugin until a patched version is available if the affected functionality is not business-critical
- Deploy a web application firewall rule to block requests to Premmerce endpoints lacking a valid _wpnonce parameter or with untrusted Referer headers
- Require administrators to log out of WordPress sessions when browsing untrusted sites, or use a dedicated browser profile for site administration
- Enforce SameSite=Lax or SameSite=Strict on WordPress session cookies to reduce cross-origin request risk
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

