Description
The Shelf Planner plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.8.1 through publicly exposed log files. This makes it possible for unauthenticated attackers to view potentially sensitive information contained in the exposed log files.
Published: 2025-11-11
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Sensitive information disclosure via log file exposure
Action: Upgrade Plugin
AI Analysis

Impact

The Shelf Planner plugin for WordPress was found to expose sensitive information through publicly accessible log files. An attacker who can reach the web directory can read log contents that may contain credentials, user data, or system configuration details. This vulnerability falls under CWE-538, which describes information exposure through logs.

Affected Systems

The issue affects Shelf Planner Inventory Management for WooCommerce plugin versions up to and including 2.8.1. Users who are running any of these versions and have not applied recent updates are at risk.

Risk and Exploitability

The vulnerability carries a CVSS score of 5.3, placing it in the moderate severity range, and an EPSS score of less than 1%, indicating a low likelihood of immediate exploitation. It is not listed in CISA's KEV catalog. Because the attack requires no authentication and relies on openly accessible files, vulnerable sites can be compromised from any external location by simply navigating to the log path.

Generated by OpenCVE AI on April 22, 2026 at 21:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Shelf Planner to version 2.8.2 or later, which removes the publicly exposed log files.
  • Configure the web server to deny direct access to log directories or file types used by the plugin, ensuring they cannot be reached by unauthenticated users.
  • Delete or archive any existing sensitive log files hosted in the plugin's directory and set appropriate file permissions to restrict access.

Generated by OpenCVE AI on April 22, 2026 at 21:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 17:30:00 +0000

Type Values Removed Values Added
References

Wed, 08 Apr 2026 17:00:00 +0000

Type Values Removed Values Added
Description The Shelf Planner plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.7.0 through publicly exposed log files. This makes it possible for unauthenticated attackers to view potentially sensitive information contained in the exposed log files. The Shelf Planner plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.8.1 through publicly exposed log files. This makes it possible for unauthenticated attackers to view potentially sensitive information contained in the exposed log files.
Title Shelf Planner <= 2.7.0 - Unauthenticated Information Exposure via Log Files Shelf Planner <= 2.8.1 - Unauthenticated Information Exposure via Log Files
References

Wed, 12 Nov 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 12 Nov 2025 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Tue, 11 Nov 2025 03:45:00 +0000

Type Values Removed Values Added
Description The Shelf Planner plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.7.0 through publicly exposed log files. This makes it possible for unauthenticated attackers to view potentially sensitive information contained in the exposed log files.
Title Shelf Planner <= 2.7.0 - Unauthenticated Information Exposure via Log Files
Weaknesses CWE-538
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:37:32.470Z

Reserved: 2025-10-16T19:06:56.650Z

Link: CVE-2025-11891

cve-icon Vulnrichment

Updated: 2025-11-12T17:30:08.728Z

cve-icon NVD

Status : Deferred

Published: 2025-11-11T04:15:44.447

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-11891

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T21:15:27Z

Weaknesses