CVE-2025-64290 Overview
CVE-2025-64290 is a Cross-Site Request Forgery (CSRF) vulnerability in the Premmerce Product Search for WooCommerce WordPress plugin. The flaw affects all versions up to and including 2.2.4. An attacker can craft a malicious web page that triggers unintended state-changing requests when an authenticated site administrator visits it. Exploitation requires user interaction, and the impact is limited to integrity. The issue is tracked under CWE-352: Cross-Site Request Forgery.
Critical Impact
Successful exploitation allows attackers to perform unauthorized plugin actions on behalf of an authenticated WordPress administrator, potentially modifying search configuration data on the target WooCommerce store.
Affected Products
- Premmerce Product Search for WooCommerce plugin (premmerce-search)
- All versions from n/a through 2.2.4
- WordPress sites running WooCommerce with the affected plugin installed
Discovery Timeline
- 2025-10-29 - CVE-2025-64290 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-64290
Vulnerability Analysis
The vulnerability resides in the Premmerce Product Search for WooCommerce plugin, which fails to validate the origin or authenticity of state-changing HTTP requests. WordPress provides nonce tokens (wp_nonce_field, check_admin_referer, wp_verify_nonce) to defend against CSRF, but the affected plugin endpoints do not enforce these checks properly through version 2.2.4.
An attacker crafts a malicious HTML page containing a form or JavaScript that submits requests to the vulnerable plugin endpoint. When a logged-in WordPress administrator visits the attacker-controlled page, the browser automatically attaches session cookies to the outbound request. The plugin processes the request as if it originated from a legitimate administrator action.
The integrity impact is limited, meaning attackers can modify certain plugin settings but cannot directly read sensitive data or cause a denial of service. The scope is unchanged, so the compromise is confined to the vulnerable plugin's context.
Root Cause
The root cause is missing or inadequate CSRF protection on administrative actions exposed by the plugin. Request handlers accept authenticated sessions without validating a nonce token that binds the request to a specific user session and form submission.
Attack Vector
Exploitation is network-based and requires user interaction. An attacker delivers a crafted link or malicious page to a targeted WordPress administrator through phishing, forum posts, or malicious advertisements. The victim must be authenticated to the WordPress admin panel when they visit the attacker's page for the forged request to succeed.
No verified public proof-of-concept code is available for this vulnerability. Refer to the Patchstack Vulnerability Report for additional technical detail.
Detection Methods for CVE-2025-64290
Indicators of Compromise
- Unexpected changes to Premmerce Product Search plugin configuration or search settings within the WordPress admin.
- HTTP POST requests to plugin admin endpoints with Referer headers pointing to external, untrusted domains.
- Administrator session activity coinciding with visits to unfamiliar external websites in browser history.
Detection Strategies
- Review WordPress audit logs for administrative actions targeting premmerce-search endpoints that lack a valid Referer from the site's own domain.
- Inspect web server access logs for state-changing requests to plugin endpoints missing expected nonce parameters (_wpnonce).
- Correlate administrator authentication events with subsequent configuration changes to detect anomalous timing patterns.
Monitoring Recommendations
- Enable WordPress activity logging plugins that capture the source IP, Referer, and request parameters for administrative actions.
- Alert on modifications to WooCommerce and Premmerce plugin settings outside of scheduled maintenance windows.
- Monitor for administrator accounts accessing the WordPress dashboard from atypical geolocations or user agents.
How to Mitigate CVE-2025-64290
Immediate Actions Required
- Update the Premmerce Product Search for WooCommerce plugin to a version later than 2.2.4 once the vendor publishes a fixed release.
- Audit administrator accounts and reduce the number of users with high-privilege WordPress roles.
- Instruct administrators to log out of the WordPress dashboard when not actively managing the site.
Patch Information
At the time of publication, the vulnerability affects all versions through 2.2.4. Consult the Patchstack Vulnerability Report and the Premmerce vendor page for the latest patched version.
Workarounds
- Deactivate the Premmerce Product Search plugin until a patched version is available if the plugin is not business-critical.
- Deploy a Web Application Firewall (WAF) rule that blocks POST requests to wp-admin plugin endpoints missing a valid _wpnonce parameter or lacking a same-origin Referer header.
- Enforce administrator use of separate browser profiles or sessions dedicated to WordPress management to reduce CSRF exposure from general web browsing.
# Example Apache/Nginx rule: block admin POSTs without a same-origin Referer
# Nginx snippet
location ~* /wp-admin/admin(-ajax|-post)\.php$ {
if ($request_method = POST) {
if ($http_referer !~* "^https?://your-site\.com/") {
return 403;
}
}
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

