{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-11888", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-10-16T18:42:51.068Z", "datePublished": "2025-10-25T05:31:21.952Z", "dateUpdated": "2025-10-25T05:31:21.952Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-10-25T05:31:21.952Z"}, "affected": [{"vendor": "roxnor", "product": "ShopEngine Elementor WooCommerce Builder Addon \u2013 All in One WooCommerce Solution", "versions": [{"version": "*", "status": "affected", "lessThanOrEqual": "4.8.4", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The ShopEngine Elementor WooCommerce Builder Addon \u2013 All in One WooCommerce Solution plugin for WordPress is vulnerable to unauthorized modification of data due to an insufficient capability check on the post_deactive() function and post_activate() function in all versions up to, and including, 4.8.4. This makes it possible for authenticated attackers, with Editor-level access and above, to activate and deactivate licenses."}], "title": "ShopEngine Elementor WooCommerce Builder Addon \u2013 All in One WooCommerce Solution <= 4.8.4 - Incorrect Authorization to Authenticated (Editor+) License Status Update", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7bdadc84-0cfb-4bec-aeb9-f59f205d269b?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3381211/shopengine/tags/4.8.5/libs/license/license-route.php"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-863 Incorrect Authorization", "cweId": "CWE-863", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N", "baseScore": 2.7, "baseSeverity": "LOW"}}], "credits": [{"lang": "en", "type": "finder", "value": "Jonas Benjamin Friedli"}], "timeline": [{"time": "2025-10-16T18:58:03.000+00:00", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-10-24T00:00:00.000+00:00", "lang": "en", "value": "Disclosed"}]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The ShopEngine Elementor WooCommerce Builder Addon \u2013 All in One WooCommerce Solution plugin for WordPress is vulnerable to unauthorized modification of data due to an insufficient capability check on the post_deactive() function and post_activate() function in all versions up to, and including, 4.8.4. This makes it possible for authenticated attackers, with Editor-level access and above, to activate and deactivate licenses."}], "id": "CVE-2025-11888", "lastModified": "2025-10-25T06:15:35.690", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 2.7, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2025-10-25T06:15:35.690", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3381211/shopengine/tags/4.8.5/libs/license/license-route.php"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7bdadc84-0cfb-4bec-aeb9-f59f205d269b?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{}