Premmerce

The Premmerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'premmerce_wizard_actions' AJAX endpoint in all versions up to, and including, 1.3.20. This is due to missing capability checks and insufficient input sanitization and output escaping on the `state` parameter. This makes it possible for authenticated attackers, with subscriber level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page (the Premmerce Wizard admin page).

Published: 2026-02-07T08:26:38.893Z
Updated: 2026-04-08T17:06:48.770Z

Cross-Site Request Forgery (CSRF) vulnerability in Premmerce Premmerce premmerce allows Cross Site Request Forgery.This issue affects Premmerce: from n/a through <= 1.3.19.

Published: 2025-10-29T08:38:14.400Z
Updated: 2026-04-28T16:14:13.438Z

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Premmerce Premmerce premmerce allows PHP Local File Inclusion.This issue affects Premmerce: from n/a through <= 1.3.19.

Published: 2025-11-06T15:55:13.362Z
Updated: 2026-04-28T18:43:56.710Z

Cross-Site Request Forgery (CSRF) vulnerability in Premmerce plugin <= 1.3.17 versions.

Published: 2023-07-17T10:54:06.910Z
Updated: 2026-04-28T16:08:01.497Z

The Freemius SDK, as used by hundreds of WordPress plugin and theme developers, was vulnerable to Cross-Site Request Forgery and Information disclosure due to missing capability checks and nonce protection on the _get_debug_log, _get_db_option, and the _set_db_option functions in versions up to, and including 2.4.2. Any WordPress plugin or theme running a version of Freemius less than 2.4.3 is vulnerable.

Published: 2024-10-16T06:43:30.014Z
Updated: 2026-04-08T16:46:54.861Z