CVE-2025-11888 identifies an authorization vulnerability in the ShopEngine Elementor WooCommerce Builder Addon – All in One WooCommerce Solution plugin for WordPress, affecting all versions up to and including 4.8.4. The vulnerability arises due to insufficient capability checks within the post_deactive() and post_activate() functions, which handle license activation and deactivation processes. Specifically, the plugin fails to properly verify whether the authenticated user has the necessary permissions to perform these actions. As a result, any authenticated user with Editor-level access or higher can manipulate license states, potentially enabling or disabling licenses without proper authorization. This flaw is categorized under CWE-863 (Incorrect Authorization). The CVSS v3.1 base score is 2.7, reflecting a low severity primarily because exploitation requires authenticated access with elevated privileges (Editor or above), no user interaction is needed, and the impact is limited to integrity (license modification) without affecting confidentiality or availability. No public exploits or patches are currently known, and the vulnerability was published on October 25, 2025. The plugin is widely used in WordPress e-commerce sites leveraging WooCommerce, making this a relevant concern for online retailers and service providers using this solution.

The primary impact of this vulnerability is the unauthorized modification of license activation status within the affected plugin. This could lead to scenarios where attackers with Editor-level access could deactivate valid licenses or activate licenses improperly, potentially disrupting legitimate plugin functionality or enabling unauthorized use of licensed features. While this does not directly compromise sensitive data confidentiality or system availability, it undermines the integrity of license management, which could have downstream effects on business operations, compliance, and revenue protection. For organizations relying on this plugin for e-commerce functionality, unauthorized license manipulation could cause service disruptions or financial losses. However, since exploitation requires elevated authenticated access, the risk is mitigated somewhat by proper access control. No known exploits in the wild reduce immediate threat urgency but do not eliminate the need for remediation.

1. Restrict Editor-level and higher privileges strictly to trusted personnel to minimize the risk of exploitation. 2. Monitor user activities related to license activation and deactivation within the WordPress admin dashboard to detect suspicious behavior. 3. Implement additional access control mechanisms or custom capability checks for license management functions if possible. 4. Regularly update the ShopEngine Elementor WooCommerce Builder Addon plugin as soon as the vendor releases a patch addressing this vulnerability. 5. Consider using WordPress security plugins that can enforce granular permission controls and audit logs. 6. Conduct periodic reviews of user roles and permissions to ensure least privilege principles are enforced. 7. If feasible, temporarily disable license activation/deactivation features or restrict them via custom code until a patch is available. 8. Educate site administrators about the risks of privilege misuse and the importance of secure credential management.