CVE-2025-11894
Unknown
Unknown - Not Provided
BaseFortify
Publication date: 2025-11-11
Last updated on: 2026-04-08
Assigner: Wordfence
Description
Description
The Shelf Planner plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on several REST API endpoints in all versions up to, and including, 2.8.1. This makes it possible for unauthenticated attackers to modify several of the plugin's settings like the ServerKey and LicenseKey.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordpress | shelf_planner | * |
Helpful Resources
Exploitability
CWE
KEV
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the Shelf Planner plugin for WordPress allows unauthenticated attackers to modify plugin settings such as ServerKey and LicenseKey because several REST API endpoints lack proper capability checks in all versions up to 2.7.0.
How can this vulnerability impact me? :
This vulnerability can allow unauthorized users to change important plugin settings, potentially leading to misuse or disruption of the plugin's functionality, which could affect the security and operation of your WordPress site.
Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70