CVE-2025-11894 is a vulnerability identified in the Shelf Planner plugin for WordPress, affecting all versions up to and including 2.7.0. The root cause is a missing authorization check (CWE-862) on several REST API endpoints, which means that these endpoints do not verify whether the requester has the necessary permissions to modify plugin settings. As a result, unauthenticated attackers can send crafted HTTP requests to these endpoints and alter critical plugin configuration parameters such as ServerKey and LicenseKey. These keys are typically used for licensing validation and server communication, so unauthorized modification could disrupt plugin functionality, invalidate licenses, or enable attackers to manipulate plugin behavior. The vulnerability has a CVSS 3.1 base score of 5.3, reflecting medium severity, with an attack vector of network (AV:N), no privileges required (PR:N), no user interaction (UI:N), and impact limited to integrity (I:L) without affecting confidentiality or availability. No patches or official fixes are currently linked, and no known exploits have been reported in the wild. The vulnerability was reserved on October 16, 2025, and published on November 11, 2025, by Wordfence. Given the widespread use of WordPress and the plugin’s role in e-commerce and inventory management, this vulnerability poses a risk to website operators who rely on Shelf Planner for critical business functions.

The primary impact of CVE-2025-11894 is the unauthorized modification of plugin settings, which compromises the integrity of the Shelf Planner plugin configuration. This can lead to license invalidation, disruption of plugin operations, or potential misuse of server communication keys. While it does not directly expose sensitive data or cause denial of service, the ability for unauthenticated attackers to alter configuration remotely can facilitate further attacks or operational disruptions. Organizations using Shelf Planner in their WordPress environments, especially those managing inventory or e-commerce workflows, may experience business interruptions or loss of trust if attackers exploit this vulnerability. The lack of authentication and user interaction requirements makes exploitation straightforward, increasing the risk of automated or opportunistic attacks. Although no exploits are currently known in the wild, the vulnerability’s presence in a widely used plugin increases the likelihood of future exploitation attempts.

1. Immediate mitigation should involve restricting access to the vulnerable REST API endpoints through web application firewalls (WAFs) or reverse proxies by blocking unauthorized requests targeting Shelf Planner endpoints. 2. Disable or remove the Shelf Planner plugin temporarily if it is not critical to operations until a patch is available. 3. Monitor web server and WordPress logs for suspicious API requests that attempt to modify plugin settings. 4. Implement strict access controls on the WordPress admin area and REST API, including IP whitelisting or authentication enforcement where possible. 5. Regularly check for official patches or updates from the Shelf Planner vendor and apply them promptly once released. 6. Consider using security plugins that can enforce capability checks or restrict REST API access on a granular level. 7. Educate site administrators about the risks of unauthorized REST API access and encourage the use of strong credentials and multi-factor authentication to reduce overall attack surface.