CVE-2025-11457: CWE-269 Improper Privilege Management in easycommerce EasyCommerce – AI-Powered WordPress Ecommerce Plugin to Sell Digital Products, Subscriptions & Physical Goods
The EasyCommerce – AI-Powered, Fast & Beautiful WordPress Ecommerce Plugin plugin for WordPress is vulnerable to Privilege Escalation in versions 0.9.0-beta2 to 1.8.2. This is due to the /easycommerce/v1/orders REST API endpoint not properly restricting the ability for users to select roles during registration. This makes it possible for unauthenticated attackers to gain administrator-level access to a vulnerable site.
AI Analysis
Technical Summary
The EasyCommerce WordPress plugin contains a privilege escalation vulnerability (CWE-269) due to insufficient access control on the /easycommerce/v1/orders REST API endpoint. This endpoint improperly allows unauthenticated users to specify roles during registration, enabling attackers to escalate privileges to administrator level. The vulnerability affects versions 0.9.0-beta2 through 1.8.2. The CVSS 3.1 base score is 9.8, reflecting network attack vector, low attack complexity, no privileges required, no user interaction, and high impact on confidentiality, integrity, and availability. There is no vendor advisory or patch information available at this time.
Potential Impact
An unauthenticated attacker can exploit this vulnerability to gain administrator privileges on a vulnerable WordPress site running the EasyCommerce plugin. This level of access allows full control over the site, including the ability to modify content, install malicious code, and compromise site integrity and availability. The vulnerability is critical due to the ease of exploitation and the high impact on the affected system.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict access to the REST API endpoints if possible, and monitor for suspicious registration activity. Avoid using affected versions of the EasyCommerce plugin in production environments. Follow vendor channels closely for updates and apply patches promptly once available.
CVE-2025-11457: CWE-269 Improper Privilege Management in easycommerce EasyCommerce – AI-Powered WordPress Ecommerce Plugin to Sell Digital Products, Subscriptions & Physical Goods
Description
The EasyCommerce – AI-Powered, Fast & Beautiful WordPress Ecommerce Plugin plugin for WordPress is vulnerable to Privilege Escalation in versions 0.9.0-beta2 to 1.8.2. This is due to the /easycommerce/v1/orders REST API endpoint not properly restricting the ability for users to select roles during registration. This makes it possible for unauthenticated attackers to gain administrator-level access to a vulnerable site.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The EasyCommerce WordPress plugin contains a privilege escalation vulnerability (CWE-269) due to insufficient access control on the /easycommerce/v1/orders REST API endpoint. This endpoint improperly allows unauthenticated users to specify roles during registration, enabling attackers to escalate privileges to administrator level. The vulnerability affects versions 0.9.0-beta2 through 1.8.2. The CVSS 3.1 base score is 9.8, reflecting network attack vector, low attack complexity, no privileges required, no user interaction, and high impact on confidentiality, integrity, and availability. There is no vendor advisory or patch information available at this time.
Potential Impact
An unauthenticated attacker can exploit this vulnerability to gain administrator privileges on a vulnerable WordPress site running the EasyCommerce plugin. This level of access allows full control over the site, including the ability to modify content, install malicious code, and compromise site integrity and availability. The vulnerability is critical due to the ease of exploitation and the high impact on the affected system.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict access to the REST API endpoints if possible, and monitor for suspicious registration activity. Avoid using affected versions of the EasyCommerce plugin in production environments. Follow vendor channels closely for updates and apply patches promptly once available.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-10-07T18:32:16.049Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 6912b12e14bc3e00ba783ca3
Added to database: 11/11/2025, 3:44:46 AM
Last enriched: 4/9/2026, 3:54:19 PM
Last updated: 5/10/2026, 2:40:28 PM
Views: 235
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.