ShopEngine Elementor WooCommerce Builder Addon – All in One WooCommerce Solution < 4.8.5 – Incorrect Authorization to Authenticated (Editor+) License Status Update | CVE 2025-11888 | Plugin Vulnerabilities

Description

The ShopEngine Elementor WooCommerce Builder Addon – All in One WooCommerce Solution plugin for WordPress is vulnerable to unauthorized modification of data due to an insufficient capability check on the post_deactive() function and post_activate() function in all versions up to, and including, 4.8.4. This makes it possible for authenticated attackers, with Editor-level access and above, to activate and deactivate licenses.

Affects Plugins

Fixed in 4.8.5

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/7bdadc84-0cfb-4bec-aeb9-f59f205d269b

Classification

Type

INCORRECT AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Jonas Benjamin Friedli

Verified

No

WPVDB ID

46e07d6c-46ac-4b8d-aed2-dd9ae1242753

Timeline

Publicly Published

2025-10-24 (about 8 months ago)

Added

2025-10-24 (about 8 months ago)

Last Updated

2025-10-25 (about 8 months ago)

Other

Published

Title

Published

2025-02-11

Title

WP Booking Calendar < 10.10.1 - Unauthenticated Post-Confirmation Booking Manipulation

Published

2026-01-09

Title

Templately < 3.4.9 - Unauthenticated Limited Arbitrary JSON File Write

Published

2024-05-09

Title

LearnPress – WordPress LMS Plugin < 4.2.6.6 - Unauthenticated Bypass to User Registration

Published

2024-01-29

Title

Avada < 7.11.2 - Contributor+ SSRF

Published

2023-06-05

Title

Formidable Forms < 6.3.1 - Subscriber+ Remote Code Execution