CVE-2025-10173 in ShopEngine Elementor WooCommerce Builder Addon Plugin
Summary
by MITRE • 09/26/2025
The ShopEngine Elementor WooCommerce Builder Addon – All in One WooCommerce Solution plugin for WordPress is vulnerable to unauthorized access due to an incorrect capability check on the post_save() function in all versions up to, and including, 4.8.3. This makes it possible for authenticated attackers, with Editor-level access and above, to update the plugin's settings.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 09/26/2025
The vulnerability identified as CVE-2025-10173 affects the ShopEngine Elementor WooCommerce Builder Addon plugin for WordPress, a popular solution that integrates Elementor page builder with WooCommerce functionality. This plugin serves as a comprehensive toolkit for creating online stores within the WordPress ecosystem, making it a critical component for many e-commerce websites. The vulnerability resides in the post_save() function where an incorrect capability check has been implemented, creating a security flaw that could be exploited by malicious actors within the system.
The technical flaw stems from insufficient access control validation within the plugin's administrative functions. Specifically, the post_save() function fails to properly verify user permissions before allowing modifications to plugin settings. This incorrect capability check means that authenticated users with Editor-level privileges or higher can bypass normal security restrictions and modify critical plugin configurations. The vulnerability represents a classic privilege escalation issue where the system grants broader permissions than intended, allowing less privileged users to perform actions typically restricted to administrators or higher-level roles.
From an operational perspective, this vulnerability poses significant risks to WordPress installations using the affected plugin. Attackers with Editor-level access can manipulate various plugin settings, potentially leading to data corruption, unauthorized feature modifications, or even complete compromise of the e-commerce functionality. The impact extends beyond simple configuration changes as these modifications could affect product listings, payment processing, user authentication, or other critical aspects of the online store. The vulnerability affects all versions up to and including 4.8.3, indicating a prolonged period during which the flaw remained undetected and exploitable.
Security professionals should note that this vulnerability aligns with CWE-284, which addresses improper access control issues in software systems. The flaw demonstrates how inadequate privilege validation can create dangerous security gaps within content management systems. According to ATT&CK framework, this vulnerability maps to T1078, which covers valid accounts and T1548, which addresses abuse of privileges, as attackers can leverage existing user accounts to escalate their privileges within the application. Organizations using this plugin should immediately implement mitigations including updating to the latest available version, reviewing user permissions, and monitoring for unauthorized configuration changes. The vulnerability underscores the importance of proper capability checks in web applications and highlights the need for regular security audits of third-party plugins that handle sensitive administrative functions.