{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-11888", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-10-16T18:42:51.068Z", "datePublished": "2025-10-25T05:31:21.952Z", "dateUpdated": "2026-04-08T17:02:33.826Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:02:33.826Z"}, "affected": [{"vendor": "roxnor", "product": "ShopEngine Elementor WooCommerce Builder Addon \u2013 All in One WooCommerce Solution", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "4.8.4", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The ShopEngine Elementor WooCommerce Builder Addon \u2013 All in One WooCommerce Solution plugin for WordPress is vulnerable to unauthorized modification of data due to an insufficient capability check on the post_deactive() function and post_activate() function in all versions up to, and including, 4.8.4. This makes it possible for authenticated attackers, with Editor-level access and above, to activate and deactivate licenses."}], "title": "ShopEngine Elementor WooCommerce Builder Addon \u2013 All in One WooCommerce Solution <= 4.8.4 - Incorrect Authorization to Authenticated (Editor+) License Status Update", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7bdadc84-0cfb-4bec-aeb9-f59f205d269b?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3381211/shopengine/tags/4.8.5/libs/license/license-route.php"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-863 Incorrect Authorization", "cweId": "CWE-863", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N", "baseScore": 2.7, "baseSeverity": "LOW"}}], "credits": [{"lang": "en", "type": "finder", "value": "Jonas Benjamin Friedli"}], "timeline": [{"time": "2025-10-16T18:58:03.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-10-24T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-10-27T16:00:21.993915Z", "id": "CVE-2025-11888", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-27T16:00:31.674Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-11888", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-10-27T16:00:21.993915Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-27T16:00:27.698Z"}}], "cna": {"title": "ShopEngine Elementor WooCommerce Builder Addon \u2013 All in One WooCommerce Solution <= 4.8.4 - Incorrect Authorization to Authenticated (Editor+) License Status Update", "credits": [{"lang": "en", "type": "finder", "value": "Jonas Benjamin Friedli"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 2.7, "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "roxnor", "product": "ShopEngine Elementor WooCommerce Builder Addon \u2013 All in One WooCommerce Solution", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "4.8.4"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-10-16T18:58:03.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-10-24T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7bdadc84-0cfb-4bec-aeb9-f59f205d269b?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3381211/shopengine/tags/4.8.5/libs/license/license-route.php"}], "descriptions": [{"lang": "en", "value": "The ShopEngine Elementor WooCommerce Builder Addon \u2013 All in One WooCommerce Solution plugin for WordPress is vulnerable to unauthorized modification of data due to an insufficient capability check on the post_deactive() function and post_activate() function in all versions up to, and including, 4.8.4. This makes it possible for authenticated attackers, with Editor-level access and above, to activate and deactivate licenses."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863 Incorrect Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:02:33.826Z"}}}, "cveMetadata": {"cveId": "CVE-2025-11888", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:02:33.826Z", "dateReserved": "2025-10-16T18:42:51.068Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-10-25T05:31:21.952Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The ShopEngine Elementor WooCommerce Builder Addon \u2013 All in One WooCommerce Solution plugin for WordPress is vulnerable to unauthorized modification of data due to an insufficient capability check on the post_deactive() function and post_activate() function in all versions up to, and including, 4.8.4. This makes it possible for authenticated attackers, with Editor-level access and above, to activate and deactivate licenses."}], "id": "CVE-2025-11888", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 2.7, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-10-25T06:15:35.690", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3381211/shopengine/tags/4.8.5/libs/license/license-route.php"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7bdadc84-0cfb-4bec-aeb9-f59f205d269b?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T12:37:40.711815+00:00", "value": {"mitigation_remediation": ["Upgrade the ShopEngine plugin to version 4.8.5 or later, which addresses the capability check issue", "If an upgrade is not immediately possible, restrict Editor and higher roles from the post_deactivate() and post_activate() functions using a role\u2011management plugin or custom code that removes the necessary capability", "Enable logging or monitoring of license activation and deactivation events to detect unauthorized changes and alert administrators"], "summary": {"action": "Apply Vendor Patch", "impact": "Unauthorized license status manipulation"}, "threat_synthesis": {"affected_systems": "The affected installation is the ShopEngine Elementor WooCommerce Builder Addon \u2013 All in One WooCommerce Solution plugin for WordPress, specifically versions 4.8.4 and earlier. Any WordPress site that has installed these versions and grants Editor or higher roles to users is at risk.", "description_and_impact": "The ShopEngine Elementor WooCommerce Builder Addon \u2013 All in One WooCommerce Solution plugin for WordPress is compromised by an insufficient capability check in the post_deactivate() and post_activate() functions in all releases up to 4.8.4. This flaw permits an authenticated attacker with Editor-level access or higher to toggle the license status of the plugin, effectively enabling or disabling license protection without proper authorization. The vulnerability represents a classic example of insufficient authorization (CWE\u2011863) and could allow attackers to bypass licensing restrictions, potentially leading to unauthorized use of premium features.", "risk_and_exploitability": "With a CVSS score of 2.7, the weakness poses a low overall risk; the EPSS score of less than\u202f1\u202f% indicates that actual exploitation is unlikely at present. The flaw is not listed in the CISA KEV catalog. Nevertheless, the attack requires only an authenticated account with Editor privileges or higher, making the barrier to exploitation relatively low in environments where such roles are widely granted."}}}}, "created": "2025-10-27T22:10:13.028454+00:00", "updated": "2026-04-22T12:45:17.023721+00:00", "vendors": ["elementor", "elementor$PRODUCT$elementor", "roxnor", "roxnor$PRODUCT$shopengine_elementor_woocommerce_builder_addon", "woocommerce", "woocommerce$PRODUCT$woocommerce", "wordpress", "wordpress$PRODUCT$wordpress"]}