What the vulnerability does
01Description
The ShopEngine Elementor WooCommerce Builder Addon – All in One WooCommerce Solution plugin for WordPress is vulnerable to unauthorized access due to an incorrect capability check on the post_save() function in all versions up to, and including, 4.8.3. This makes it possible for authenticated attackers, with Editor-level access and above, to update the plugin's settings.
Explanation of Vulnerability in Simple Terms
02Summary
ShopEngine Elementor WooCommerce Builder Addon versions 4.8.3 and earlier contain an authorization flaw that allows high-privilege users to modify data they should not have access to. The vulnerability requires administrator-level access and does not affect confidentiality or availability. Site owners should update to a version newer than 4.8.3 when available.
What an attacker can do
03Attacker Capabilities
A high-privilege user can modify data they are not authorized to change.
Potential impact on your site
04Site Impact
Administrators with malicious intent or compromised admin accounts can alter protected data without proper authorization checks.
Conditions required to exploit
05Prerequisites
Attacker must have administrator or equivalent high-privilege account access to the WordPress site.
Key dates
06Disclosure timeline
September 26, 2025
CVE published
April 8, 2026
Record updated