CVE-2025-10173 LOW

CVE-2025-10173: ShopEngine Elementor WooCommerce Builder Addon – All in One WooCommerce Solution <= 4.8.3 - Insufficient Authorization to Authenticated (Editor+) Settings Update

Vendor Roxnor
Product ShopEngine Elementor WooCommerce Builder Addon – All in One WooCommerce Solution
Weakness CWE-862 · Missing authorization
Published September 26, 2025
Last update April 8, 2026

CVSS base score

2.7/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

The ShopEngine Elementor WooCommerce Builder Addon – All in One WooCommerce Solution plugin for WordPress is vulnerable to unauthorized access due to an incorrect capability check on the post_save() function in all versions up to, and including, 4.8.3. This makes it possible for authenticated attackers, with Editor-level access and above, to update the plugin's settings.

Explanation of Vulnerability in Simple Terms

02Summary

ShopEngine Elementor WooCommerce Builder Addon versions 4.8.3 and earlier contain an authorization flaw that allows high-privilege users to modify data they should not have access to. The vulnerability requires administrator-level access and does not affect confidentiality or availability. Site owners should update to a version newer than 4.8.3 when available.

What an attacker can do

03Attacker Capabilities

A high-privilege user can modify data they are not authorized to change.

Potential impact on your site

04Site Impact

Administrators with malicious intent or compromised admin accounts can alter protected data without proper authorization checks.

Conditions required to exploit

05Prerequisites

Attacker must have administrator or equivalent high-privilege account access to the WordPress site.

Key dates

06Disclosure timeline

September 26, 2025 CVE published
April 8, 2026 Record updated