Plateforme
wordpress
Composant
easycommerce
Corrigé dans
1.8.3
CVE-2025-11457 describes a critical Privilege Escalation vulnerability discovered in the EasyCommerce – AI-Powered WordPress Ecommerce Plugin. This flaw allows unauthenticated attackers to bypass role restrictions and gain administrator-level access to vulnerable WordPress sites. The vulnerability affects versions 0.9.0-beta2 through 1.8.2, and a patch is available in version 1.8.3.
The impact of this vulnerability is severe. An unauthenticated attacker can exploit this flaw to completely compromise a WordPress site running the affected EasyCommerce plugin. This includes gaining full control over the site's content, user accounts, and configuration. Attackers could install malicious plugins, steal sensitive data, deface the website, or use it as a launchpad for further attacks against the network. The lack of authentication required for exploitation significantly increases the risk, as any user can potentially trigger the privilege escalation.
This vulnerability was publicly disclosed on 2025-11-11. No public proof-of-concept exploits have been identified at the time of writing, but the ease of exploitation suggests a high probability of exploitation if left unpatched. The vulnerability's severity and ease of exploitation warrant immediate attention. It is not currently listed on the CISA KEV catalog.
WordPress websites utilizing the EasyCommerce plugin, particularly those running versions 0.9.0-beta2 through 1.8.2, are at significant risk. Shared hosting environments where plugin updates are not consistently managed are especially vulnerable, as are sites with limited security configurations.
• wordpress / composer / npm:
wp plugin list | grep easycommerce• wordpress / composer / npm:
wp plugin update --all• wordpress / composer / npm:
wp plugin status easycommerce• wordpress / composer / npm:
curl -I https://your-wordpress-site.com/easycommerce/v1/orders• generic web: Check WordPress plugin directory for updates and security advisories.
disclosure
Statut de l'Exploit
EPSS
0.19% (percentile 40%)
CISA SSVC
Vecteur CVSS
The primary mitigation is to immediately upgrade the EasyCommerce plugin to version 1.8.3 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds. While a direct fix is preferred, restricting access to the /easycommerce/v1/orders endpoint via a WordPress firewall or security plugin could limit exposure. Review user roles and permissions to ensure no unauthorized users have elevated privileges. Regularly scan your WordPress site for vulnerabilities using a reputable security plugin.
Update to version 1.8.3, or a newer patched version
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2025-11457 is a critical vulnerability in the EasyCommerce WordPress plugin allowing unauthenticated attackers to gain administrator access. It affects versions 0.9.0-beta2 to 1.8.2 due to improper role restrictions.
You are affected if your WordPress site uses the EasyCommerce plugin and is running version 0.9.0-beta2 through 1.8.2. Check your plugin version immediately.
Upgrade the EasyCommerce plugin to version 1.8.3 or later. If immediate upgrade is not possible, consider temporary workarounds like restricting access to the /easycommerce/v1/orders endpoint.
While no public exploits are currently known, the vulnerability's ease of exploitation suggests a high probability of exploitation if left unpatched.
Refer to the EasyCommerce plugin's official website or WordPress plugin repository for the latest security advisory and update information.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.