CVE-2025-11894: CWE-862 Missing Authorization in shelfplanner Shelf Planner Inventory Management for WooCommerce
The Shelf Planner plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on several REST API endpoints in all versions up to, and including, 2.8.1. This makes it possible for unauthenticated attackers to modify several of the plugin's settings like the ServerKey and LicenseKey.
AI Analysis
Technical Summary
The Shelf Planner plugin for WordPress suffers from a missing capability check on multiple REST API endpoints, classified as CWE-862 (Missing Authorization). This flaw permits unauthenticated attackers to modify critical plugin configuration parameters, including ServerKey and LicenseKey, potentially impacting the integrity of the plugin's settings. The vulnerability has a CVSS 3.1 base score of 5.3, indicating a medium level of severity. It affects all versions up to 2.8.1. There is no vendor advisory or patch link available at this time.
Potential Impact
An attacker without authentication can modify important plugin settings via the REST API, which may lead to unauthorized changes in the plugin's configuration. While confidentiality and availability impacts are not indicated, the integrity of the plugin's settings is compromised. There are no known exploits in the wild at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict access to the REST API endpoints related to the Shelf Planner plugin and monitor for unusual modification attempts. Avoid exposing the plugin's REST API endpoints to unauthenticated users where possible.
CVE-2025-11894: CWE-862 Missing Authorization in shelfplanner Shelf Planner Inventory Management for WooCommerce
Description
The Shelf Planner plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on several REST API endpoints in all versions up to, and including, 2.8.1. This makes it possible for unauthenticated attackers to modify several of the plugin's settings like the ServerKey and LicenseKey.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The Shelf Planner plugin for WordPress suffers from a missing capability check on multiple REST API endpoints, classified as CWE-862 (Missing Authorization). This flaw permits unauthenticated attackers to modify critical plugin configuration parameters, including ServerKey and LicenseKey, potentially impacting the integrity of the plugin's settings. The vulnerability has a CVSS 3.1 base score of 5.3, indicating a medium level of severity. It affects all versions up to 2.8.1. There is no vendor advisory or patch link available at this time.
Potential Impact
An attacker without authentication can modify important plugin settings via the REST API, which may lead to unauthorized changes in the plugin's configuration. While confidentiality and availability impacts are not indicated, the integrity of the plugin's settings is compromised. There are no known exploits in the wild at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict access to the REST API endpoints related to the Shelf Planner plugin and monitor for unusual modification attempts. Avoid exposing the plugin's REST API endpoints to unauthenticated users where possible.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-10-16T20:35:18.671Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 6912b13014bc3e00ba783d1c
Added to database: 11/11/2025, 3:44:48 AM
Last enriched: 4/9/2026, 8:55:07 PM
Last updated: 5/10/2026, 7:44:23 AM
Views: 113
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.