CVE-2025-11457
Published: 11 November 2025
Summary
CVE-2025-11457 is a critical-severity Improper Privilege Management (CWE-269) vulnerability in Wordpress (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 38.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-2 requires proper management of account creation and authorization allocation, directly preventing unauthenticated attackers from self-assigning administrator roles during registration via the flawed REST API endpoint.
AC-6 enforces the principle of least privilege, ensuring that registration processes do not allow escalation to administrator-level access without authorization.
AC-3 mandates enforcement of access control policies, which would restrict the /easycommerce/v1/orders endpoint from permitting unauthorized role selection during user registration.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables unauthenticated registration with administrator privileges via a public-facing REST API endpoint, facilitating exploitation of public-facing applications (T1190), exploitation for privilege escalation (T1068), and creation of local administrator accounts (T1136.001).
NVD Description
The EasyCommerce – AI-Powered, Fast & Beautiful WordPress Ecommerce Plugin plugin for WordPress is vulnerable to Privilege Escalation in versions 0.9.0-beta2 to 1.8.2. This is due to the /easycommerce/v1/orders REST API endpoint not properly restricting the ability for users to…
more
select roles during registration. This makes it possible for unauthenticated attackers to gain administrator-level access to a vulnerable site.
Deeper analysisAI
CVE-2025-11457 is a privilege escalation vulnerability in the EasyCommerce – AI-Powered, Fast & Beautiful WordPress Ecommerce Plugin for WordPress, affecting versions 0.9.0-beta2 through 1.8.2. The flaw arises in the /easycommerce/v1/orders REST API endpoint, which does not properly restrict the ability for users to select roles during registration, enabling escalation to administrator-level access. It is rated critical with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-269 (Improper Privilege Management).
Unauthenticated attackers can exploit this vulnerability remotely over the network with low attack complexity and no user interaction required. By leveraging the flawed registration process via the REST API endpoint, attackers can register accounts and self-assign administrator roles, gaining full control over the vulnerable WordPress site.
Mitigation details are outlined in available advisories and patches, including a fix committed in WordPress plugin trac changeset 3392029 at /easycommerce/trunk/app/Abstracts/User.php. Security practitioners should update to a patched version beyond 1.8.2, as referenced on the plugin's WordPress.org page and Wordfence threat intelligence advisory.
Details
- CWE(s)