Description
The ShopEngine Elementor WooCommerce Builder Addon – All in One WooCommerce Solution plugin for WordPress is vulnerable to unauthorized access due to an incorrect capability check on the post_save() function in all versions up to, and including, 4.8.3. This makes it possible for authenticated attackers, with Editor-level access and above, to update the plugin's settings.
Published: 2025-09-26
Score: 2.7 Low
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Assess Impact
AI Analysis

Impact

The plugin performs an inadequate capability check on its post_save() handling routine, allowing any authenticated user who holds at least Editor rights to invoke setting updates. By manipulating these settings, an attacker could alter store configuration, potentially impacting pricing, checkout behavior, or other functional parameters. The flaw is an improper authorization issue (CWE-862).

Affected Systems

The ShopEngine Elementor WooCommerce Builder Addon – All in One WooCommerce Solution plugin, up to and including version 4.8.3, is susceptible. Users running these versions in WordPress environments are at risk when they grant Editor or higher role access to the site.

Risk and Exploitability

The CVSS score of 2.7 indicates low severity, and the EPSS score of < 1% reflects a very small likelihood of exploitation. The vulnerability is not currently listed in CISA’s KEV catalog. Exploitation would require legitimate authentication to the WordPress site with Editor‑level privileges, after which the attacker can submit a form that triggers the faulty capability check. No remote code execution or elevated system privileges are granted directly by this vulnerability, but the strategic impact of altering e‑commerce settings can be significant.

Generated by OpenCVE AI on April 22, 2026 at 22:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the ShopEngine plugin to version 4.8.4 or later, where the capability check has been corrected.
  • Restrict the Editor role or higher from accessing the plugin settings page, or use a plugin that enforces stricter capability checks for configuration changes.
  • Ensure that role‑capability mappings are reviewed and that no unintended users have Editor or higher privileges; consider additional role‑based access control measures to limit configuration changes.

Generated by OpenCVE AI on April 22, 2026 at 22:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-31210 The ShopEngine Elementor WooCommerce Builder Addon – All in One WooCommerce Solution plugin for WordPress is vulnerable to unauthorized access due to an incorrect capability check on the post_save() function in all versions up to, and including, 4.8.3. This makes it possible for authenticated attackers, with Editor-level access and above, to update the plugin's settings.
History

Fri, 26 Sep 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 26 Sep 2025 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Elementor
Elementor elementor
Roxnor
Roxnor shopengine Elementor Woocommerce Builder Addon
Woocommerce
Woocommerce woocommerce
Wordpress
Wordpress wordpress
Vendors & Products Elementor
Elementor elementor
Roxnor
Roxnor shopengine Elementor Woocommerce Builder Addon
Woocommerce
Woocommerce woocommerce
Wordpress
Wordpress wordpress

Fri, 26 Sep 2025 03:45:00 +0000

Type Values Removed Values Added
Description The ShopEngine Elementor WooCommerce Builder Addon – All in One WooCommerce Solution plugin for WordPress is vulnerable to unauthorized access due to an incorrect capability check on the post_save() function in all versions up to, and including, 4.8.3. This makes it possible for authenticated attackers, with Editor-level access and above, to update the plugin's settings.
Title ShopEngine Elementor WooCommerce Builder Addon – All in One WooCommerce Solution <= 4.8.3 - Insufficient Authorization to Authenticated (Editor+) Settings Update
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 2.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Elementor Elementor
Roxnor Shopengine Elementor Woocommerce Builder Addon
Woocommerce Woocommerce
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:44:13.423Z

Reserved: 2025-09-09T14:06:52.606Z

Link: CVE-2025-10173

cve-icon Vulnrichment

Updated: 2025-09-26T19:31:24.153Z

cve-icon NVD

Status : Deferred

Published: 2025-09-26T04:15:41.830

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-10173

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T22:15:26Z

Weaknesses