CVE-2025-11457

Critical

Published: 11 November 2025

Published

11 November 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0017 38.4th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

The EasyCommerce – AI-Powered, Fast & Beautiful WordPress Ecommerce Plugin plugin for WordPress is vulnerable to Privilege Escalation in versions 0.9.0-beta2 to 1.8.2. This is due to the /easycommerce/v1/orders REST API endpoint not properly restricting the ability for users to…

select roles during registration. This makes it possible for unauthenticated attackers to gain administrator-level access to a vulnerable site.

Mitigating Controls (NIST 800-53 r5)AI

AC-2 Account Management good match

prevent

AC-2 requires proper management of account creation and authorization allocation, directly preventing unauthenticated attackers from self-assigning administrator roles during registration via the flawed REST API endpoint.

AC-6 Least Privilege good match

prevent

AC-6 enforces the principle of least privilege, ensuring that registration processes do not allow escalation to administrator-level access without authorization.

AC-3 Access Enforcement good match

prevent

AC-3 mandates enforcement of access control policies, which would restrict the /easycommerce/v1/orders endpoint from permitting unauthorized role selection during user registration.

Security SummaryAI

CVE-2025-11457 is a privilege escalation vulnerability in the EasyCommerce – AI-Powered, Fast & Beautiful WordPress Ecommerce Plugin for WordPress, affecting versions 0.9.0-beta2 through 1.8.2. The flaw arises in the /easycommerce/v1/orders REST API endpoint, which does not properly restrict the ability for users to select roles during registration, enabling escalation to administrator-level access. It is rated critical with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-269 (Improper Privilege Management).

Unauthenticated attackers can exploit this vulnerability remotely over the network with low attack complexity and no user interaction required. By leveraging the flawed registration process via the REST API endpoint, attackers can register accounts and self-assign administrator roles, gaining full control over the vulnerable WordPress site.

Mitigation details are outlined in available advisories and patches, including a fix committed in WordPress plugin trac changeset 3392029 at /easycommerce/trunk/app/Abstracts/User.php. Security practitioners should update to a patched version beyond 1.8.2, as referenced on the plugin's WordPress.org page and Wordfence threat intelligence advisory.

Details

CWE(s): CWE-269

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

T1136.001 Local Account Persistence

Adversaries may create a local account to maintain access to victim systems.

attack.mitre.org →

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability enables unauthenticated registration with administrator privileges via a public-facing REST API endpoint, facilitating exploitation of public-facing applications (T1190), exploitation for privilege escalation (T1068), and creation of local administrator accounts (T1136.001).

References

https://plugins.trac.wordpress.org/changeset/3392029/easycommerce/trunk/app/Abstracts/User.php
security@wordfence.com
https://wordpress.org/plugins/easycommerce/
security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/7ebe84ba-abc1-410c-b315-118746ff235a?source=cve
security@wordfence.com