Description
The ShopEngine Elementor WooCommerce Builder Addon – All in One WooCommerce Solution plugin for WordPress is vulnerable to unauthorized modification of data due to an insufficient capability check on the post_deactive() function and post_activate() function in all versions up to, and including, 4.8.4. This makes it possible for authenticated attackers, with Editor-level access and above, to activate and deactivate licenses.
Published: 2025-10-25
Score: 2.7 Low
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized license status manipulation
Action: Apply Vendor Patch
AI Analysis

Impact

The ShopEngine Elementor WooCommerce Builder Addon – All in One WooCommerce Solution plugin for WordPress is compromised by an insufficient capability check in the post_deactivate() and post_activate() functions in all releases up to 4.8.4. This flaw permits an authenticated attacker with Editor-level access or higher to toggle the license status of the plugin, effectively enabling or disabling license protection without proper authorization. The vulnerability represents a classic example of insufficient authorization (CWE‑863) and could allow attackers to bypass licensing restrictions, potentially leading to unauthorized use of premium features.

Affected Systems

The affected installation is the ShopEngine Elementor WooCommerce Builder Addon – All in One WooCommerce Solution plugin for WordPress, specifically versions 4.8.4 and earlier. Any WordPress site that has installed these versions and grants Editor or higher roles to users is at risk.

Risk and Exploitability

With a CVSS score of 2.7, the weakness poses a low overall risk; the EPSS score of less than 1 % indicates that actual exploitation is unlikely at present. The flaw is not listed in the CISA KEV catalog. Nevertheless, the attack requires only an authenticated account with Editor privileges or higher, making the barrier to exploitation relatively low in environments where such roles are widely granted.

Generated by OpenCVE AI on April 22, 2026 at 12:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the ShopEngine plugin to version 4.8.5 or later, which addresses the capability check issue
  • If an upgrade is not immediately possible, restrict Editor and higher roles from the post_deactivate() and post_activate() functions using a role‑management plugin or custom code that removes the necessary capability
  • Enable logging or monitoring of license activation and deactivation events to detect unauthorized changes and alert administrators

Generated by OpenCVE AI on April 22, 2026 at 12:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Oct 2025 22:30:00 +0000

Type Values Removed Values Added
First Time appeared Elementor
Elementor elementor
Roxnor
Roxnor shopengine Elementor Woocommerce Builder Addon
Woocommerce
Woocommerce woocommerce
Wordpress
Wordpress wordpress
Vendors & Products Elementor
Elementor elementor
Roxnor
Roxnor shopengine Elementor Woocommerce Builder Addon
Woocommerce
Woocommerce woocommerce
Wordpress
Wordpress wordpress

Mon, 27 Oct 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 25 Oct 2025 05:45:00 +0000

Type Values Removed Values Added
Description The ShopEngine Elementor WooCommerce Builder Addon – All in One WooCommerce Solution plugin for WordPress is vulnerable to unauthorized modification of data due to an insufficient capability check on the post_deactive() function and post_activate() function in all versions up to, and including, 4.8.4. This makes it possible for authenticated attackers, with Editor-level access and above, to activate and deactivate licenses.
Title ShopEngine Elementor WooCommerce Builder Addon – All in One WooCommerce Solution <= 4.8.4 - Incorrect Authorization to Authenticated (Editor+) License Status Update
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 2.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Elementor Elementor
Roxnor Shopengine Elementor Woocommerce Builder Addon
Woocommerce Woocommerce
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:02:33.826Z

Reserved: 2025-10-16T18:42:51.068Z

Link: CVE-2025-11888

cve-icon Vulnrichment

Updated: 2025-10-27T16:00:27.698Z

cve-icon NVD

Status : Deferred

Published: 2025-10-25T06:15:35.690

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-11888

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T12:45:17Z

Weaknesses