CVE-2025-11457 CRITICAL

CVE-2025-11457: EasyCommerce – AI-Powered, Blazing-Fast & Beautiful WordPress Ecommerce Plugin 0.9.0-beta2 - 1.8.2 - Unauthenticated Privilege Escalation

Vendor Easycommerce
Product EasyCommerce – AI-Powered WordPress Ecommerce Plugin to Sell Digital Products, Subscriptions & Physical Goods
Weakness CWE-269
Published November 11, 2025
Last update April 8, 2026

CVSS base score

9.8/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

The EasyCommerce – AI-Powered, Fast & Beautiful WordPress Ecommerce Plugin plugin for WordPress is vulnerable to Privilege Escalation in versions 0.9.0-beta2 to 1.8.2. This is due to the /easycommerce/v1/orders REST API endpoint not properly restricting the ability for users to select roles during registration. This makes it possible for unauthenticated attackers to gain administrator-level access to a vulnerable site.

Explanation of Vulnerability in Simple Terms

02Summary

The EasyCommerce plugin for WordPress contains a privilege management flaw affecting versions up to 1.8.2. An unauthenticated attacker can exploit this vulnerability over the network without user interaction to gain unauthorized access, modify site data, or disrupt service. The vulnerability requires no special conditions and poses a critical risk to any WordPress site running the affected plugin.

What an attacker can do

03Attacker Capabilities

Read sensitive data, modify or delete site content, and disrupt site availability without authentication.

Potential impact on your site

04Site Impact

Attackers can compromise your entire WordPress site, steal customer data, modify products/orders, or take the site offline.

Conditions required to exploit

05Prerequisites

Network access only; no authentication, user interaction, or special configuration required.

Key dates

06Disclosure timeline

November 11, 2025 CVE published
April 8, 2026 Record updated