Attack Vectors

Premmerce (WordPress plugin slug: premmerce) has a Medium-severity Stored Cross-Site Scripting (XSS) vulnerability (CVSS 6.4, CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N) tracked as CVE-2026-0555. It affects versions up to and including 1.3.20.

The attack requires an authenticated WordPress user with Subscriber access (or higher). In practical terms, this can include accounts created through public registration, compromised credentials from phishing/password reuse, or accounts created for partners/vendors and left active.

An attacker can inject script payloads through the premmerce_wizard_actions AJAX endpoint using the state parameter. The injected script is stored and executes when someone visits the affected admin interface (the Premmerce Wizard admin page), meaning the risk is highest for users who manage site settings and plugins.

Security Weakness

This issue is caused by a combination of missing capability checks and insufficient input sanitization and output escaping for the state parameter on the premmerce_wizard_actions AJAX endpoint. As a result, users who should not be able to affect administrative workflows can store content that executes as code in a privileged browser session.

Because this is a Stored XSS, it can persist and trigger repeatedly—each time an authorized user loads the Premmerce Wizard admin page—until the malicious value is removed.

Remediation: Update Premmerce to 1.3.21 or newer (patched). Source: Wordfence vulnerability advisory.

Technical or Business Impacts

If exploited, this vulnerability can allow attacker-controlled scripts to run in the browser of an administrator or other privileged user viewing the Premmerce Wizard page. That can translate into business-impacting outcomes such as unauthorized changes to site configuration, creation of new accounts or permission changes (depending on what the victim can do), and insertion of unwanted content that affects brand integrity and customer trust.

From a leadership and compliance standpoint, the primary risks include: operational disruption (time spent on incident response and cleanup), reputational damage if malicious content is served to internal users or cascades into broader compromise, and increased exposure to follow-on attacks if privileged sessions or administrative actions are hijacked through the browser.

Similar Attacks: Stored XSS has been a recurring class of WordPress security issues, including vulnerabilities tracked as CVE-2019-8942 and CVE-2019-8943.