CVE-2025-11457
BaseFortify
Publication date: 2025-11-11
Last updated on: 2026-04-08
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordpress | wordpress | * |
| easycommerce | easycommerce | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-269 | The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the EasyCommerce WordPress plugin versions 0.9.0-beta2 to 1.5.0. It allows unauthenticated attackers to escalate their privileges by exploiting the /easycommerce/v1/orders REST API endpoint, which does not properly restrict users from selecting roles during registration. As a result, attackers can gain administrator-level access to the affected site.
How can this vulnerability impact me? :
If exploited, this vulnerability can allow an attacker to gain administrator-level access to your WordPress site running the vulnerable EasyCommerce plugin. This means the attacker could fully control the site, including modifying content, stealing data, installing malicious code, or disrupting site operations.