CVE-2025-11888
ShopEngine Elementor WooCommerce Builder Addon – All in One WooCommerce Solution <= 4.8.4 - Incorrect Authorization to Authenticated (Editor+) License Status UpdateThe ShopEngine Elementor WooCommerce Builder Addon – All in One WooCommerce Solution plugin for WordPress is vulnerable to unauthorized modification of data due to an insufficient capability check on the post_deactive() function and post_activate() function in all versions up to, and including, 4.8.4. This makes it possible for authenticated attackers, with Editor-level access and above, to activate and deactivate licenses.
We have discovered 3,092 live websites that are affected by CVE-2025-11888.
Affected Software
| Product |  Shopengine |
| Category | Wordpress Plugins |
| Vulnerable Domains | 3,092 live websites (71% of Shopengine install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 44 versions ( 94% of all versions) |
Common Weakness Enumeration
CWE-863 Incorrect AuthorizationDetails
- Published - Oct 25, 2025
- Updated - Oct 27, 2025
Credits
- Jonas Benjamin Friedli (finder)
CVE References
CWE References
CWE
Website Distribution by Country
Number of websites using CVE-2025-11888 United States | 658 websites |
 France | 251 websites |
 Germany | 207 websites |
 Brazil | 192 websites |
 Italy | 149 websites |
 GB | 143 websites |
 Cyprus | 114 websites |
 India | 112 websites |
 South Africa | 93 websites |
 Poland | 86 websites |
Website Distribution by TLD
Number of websites using CVE-2025-11888| .com | 1,370 websites |
| .com.br | 187 websites |
| .fr | 120 websites |
| .it | 106 websites |
| .co.uk | 71 websites |
| .pl | 69 websites |
| .org | 58 websites |
| .ru | 52 websites |
| .net | 52 websites |
| .com.au | 48 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2025-11888
Top websites that are affected by CVE-2025-11888. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| *****.com |  Bangladesh | **,*** | |
| ****.com |  Thailand | ***,*** | |
| ********.com | Thailand | ***,*** | |
| *********.com | United States | ***,*** | |
| *********.it | Germany | ***,*** | |
| ***************.org | France | ***,*** | |
| **********************.com | France | ***,*** | |
| ********.***.vn |  Vietnam | *,***,*** | |
| ******.de | Germany | *,***,*** | |
| ***.eu | Germany | *,***,*** |
FAQ
CVE-2025-11888 is Incorrect Authorization in Shopengine
A total of 3,092 websites have been identified as vulnerable to CVE-2025-11888, based on global website indexing conducted by WebTechSurvey.
The Shopengine is affected by the CVE-2025-11888 vulnerability.
Shopengine versions up to and including 4.8.4 are vulnerable to CVE-2025-11888.