CVE-2025-11894 identifies a missing authorization vulnerability (CWE-862) in the Shelf Planner plugin for WordPress, affecting all versions up to and including 2.7.0. The vulnerability arises because the plugin's REST API endpoints lack proper capability checks, allowing unauthenticated attackers to send requests that modify sensitive plugin settings such as ServerKey and LicenseKey. These keys are critical for plugin operation and licensing, and unauthorized changes could disrupt service or enable license circumvention. The vulnerability requires no authentication or user interaction and can be exploited remotely over the network. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) indicates network attack vector, low attack complexity, no privileges or user interaction needed, unchanged scope, no confidentiality or availability impact, but integrity is impacted. Although no public exploits are known, the ease of exploitation and potential for unauthorized configuration changes make this a significant concern for affected sites. The lack of patch links suggests a fix may not yet be available, emphasizing the need for mitigation. This vulnerability could be leveraged as a foothold for further attacks or to disrupt plugin functionality.

For European organizations, this vulnerability poses a risk primarily to the integrity of WordPress sites using the Shelf Planner plugin, which is often employed for inventory and shelf management in retail and e-commerce sectors. Unauthorized modification of ServerKey and LicenseKey could lead to license invalidation, service disruption, or enable attackers to manipulate plugin behavior, potentially affecting business operations. While confidentiality and availability are not directly impacted, the integrity compromise could facilitate further exploitation or unauthorized access if combined with other vulnerabilities. Organizations relying on Shelf Planner for critical inventory management may experience operational disruptions or financial losses. The medium CVSS score reflects moderate risk, but the ease of exploitation and unauthenticated access increase urgency for mitigation. Given the widespread use of WordPress in Europe, especially in small to medium enterprises, the threat surface is significant. The absence of known exploits reduces immediate risk but does not eliminate the potential for future attacks.

European organizations should immediately audit their WordPress installations to identify the presence of the Shelf Planner plugin and its version. If the plugin is installed and unpatched, organizations should restrict access to the REST API endpoints related to Shelf Planner by implementing web application firewall (WAF) rules that block unauthenticated requests targeting these endpoints. Additionally, disabling or limiting REST API access for unauthenticated users site-wide can reduce exposure. Monitoring web server logs for suspicious POST or PATCH requests to Shelf Planner endpoints can help detect exploitation attempts. Organizations should also contact the plugin vendor or monitor official channels for patches or updates addressing this vulnerability and apply them promptly once available. As a longer-term measure, consider isolating WordPress management interfaces behind VPNs or IP whitelisting to reduce attack surface. Regular backups and integrity checks of plugin configuration data will aid in recovery if unauthorized changes occur. Finally, educating site administrators about the risks of unauthorized plugin modifications is essential.