What the vulnerability does
01Description
The Shelf Planner plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on several REST API endpoints in all versions up to, and including, 2.8.1. This makes it possible for unauthenticated attackers to modify several of the plugin's settings like the ServerKey and LicenseKey.
Explanation of Vulnerability in Simple Terms
02Summary
Shelf Planner Inventory Management for WooCommerce versions 2.8.1 and earlier lack proper authorization checks. An unauthenticated attacker can modify inventory data or other protected information without permission. This affects all installations of the plugin up to the stated version. Site owners should update immediately to a patched release.
What an attacker can do
03Attacker Capabilities
Modify inventory data and other protected information without authentication.
Potential impact on your site
04Site Impact
Attackers can alter product inventory, pricing, or other critical WooCommerce data without logging in.
Conditions required to exploit
05Prerequisites
Network access to the site; no authentication or user interaction required.
Key dates
06Disclosure timeline
November 11, 2025
CVE published
April 8, 2026
Record updated