WordPress StoreKeeper for WooCommerce plugin <= 14.4.4 - Arbitrary File Upload Vulnerability
wird übersetzt…Plattform
wordpress
Komponente
storekeeper-for-woocommerce
Behoben in
14.4.5
CVE-2025-47687 is an Arbitrary File Access vulnerability affecting StoreKeeper for WooCommerce, a plugin for WordPress e-commerce stores. This flaw allows attackers to upload files of any type, including malicious web shells, to the server, potentially leading to complete system compromise. The vulnerability impacts versions from 0.0 up to and including 14.4.4. A patch is available in version 14.4.5.
Erkenne diese CVE in deinem Projekt
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Auswirkungen und Angriffsszenarienwird übersetzt…
The primary impact of CVE-2025-47687 is the ability for an attacker to upload a web shell, effectively gaining remote code execution (RCE) on the web server hosting the WooCommerce store. This could allow an attacker to modify website content, steal sensitive customer data (including payment information), install malware, or pivot to other systems on the network. The blast radius extends beyond the WooCommerce store itself, potentially impacting any connected databases or internal resources. Successful exploitation could lead to defacement, data breaches, and significant financial losses. The unrestricted file upload bypasses standard security measures, making it a particularly dangerous vulnerability. The ease of uploading a web shell significantly lowers the barrier to entry for attackers, even those with limited technical skills.
Ausnutzungskontextwird übersetzt…
CVE-2025-47687 was published on 2025-05-23. Its critical CVSS score (10) indicates a high probability of exploitation. While no public Proof-of-Concept (PoC) exploits have been publicly released as of this writing, the ease of exploitation makes it a likely target for opportunistic attackers. The vulnerability is not currently listed on KEV or EPSS, but its severity warrants close monitoring. Given the prevalence of WooCommerce stores and the ease of exploiting this vulnerability, active campaigns are possible.
Bedrohungsanalyse
Exploit-Status
EPSS
0.41% (61% Perzentil)
CISA SSVC
CVSS-Vektor
Was bedeuten diese Metriken?
- Attack Vector
- Netzwerk — aus der Ferne über das Internet ausnutzbar. Kein physischer oder lokaler Zugriff erforderlich.
- Attack Complexity
- Niedrig — keine besonderen Bedingungen erforderlich. Zuverlässig ausnutzbar.
- Privileges Required
- Keine — ohne Authentifizierung ausnutzbar. Keine Zugangsdaten erforderlich.
- User Interaction
- Keine — automatischer und lautloser Angriff. Das Opfer tut nichts.
- Scope
- Geändert — Angriff kann über die anfällige Komponente hinaus auf andere Systeme übergreifen.
- Confidentiality
- Hoch — vollständiger Vertraulichkeitsverlust. Angreifer kann alle Daten lesen.
- Integrity
- Hoch — Angreifer kann beliebige Daten schreiben, ändern oder löschen.
- Availability
- Hoch — vollständiger Absturz oder Ressourcenerschöpfung. Totaler Denial of Service.
Betroffene Software
Paketinformationen
- Aktive Installationen
- 20Nische
- Plugin-Bewertung
- 0.0
- Erfordert WordPress
- 5.0+
- Kompatibel bis
- 6.5.8
- Erfordert PHP
- 7.4+
Schwachstellen-Klassifikation (CWE)
Zeitleiste
- Reserviert
- Veröffentlicht
- Geändert
- EPSS aktualisiert
Mitigation und Workaroundswird übersetzt…
The primary mitigation for CVE-2025-47687 is to immediately upgrade StoreKeeper for WooCommerce to version 14.4.5 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing temporary workarounds. These may include restricting file uploads to specific, safe file types using WordPress's built-in file handling capabilities, or implementing a Web Application Firewall (WAF) rule to block uploads of common web shell extensions (e.g., .php, .jsp, .asp). Carefully review and restrict the permissions of the upload directory to prevent the execution of uploaded files. After upgrading, verify the fix by attempting to upload a test file with a known malicious extension; the upload should be blocked or rejected.
So behebenwird übersetzt…
Actualice el plugin StoreKeeper for WooCommerce a la última versión disponible para corregir la vulnerabilidad de carga de archivos arbitrarios. Verifique la página del plugin en WordPress.org para obtener la versión más reciente y las instrucciones de actualización. Además, implemente medidas de seguridad adicionales, como la restricción de tipos de archivos permitidos y la validación de entradas de usuario.
CVE-Sicherheitsnewsletter
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
Häufig gestellte Fragenwird übersetzt…
What is CVE-2025-47687 — Arbitrary File Access in StoreKeeper for WooCommerce?
It's a critical Arbitrary File Access vulnerability in StoreKeeper for WooCommerce allowing attackers to upload malicious files, potentially leading to remote code execution.
Am I affected by CVE-2025-47687 in StoreKeeper for WooCommerce?
If you're using StoreKeeper for WooCommerce versions 0.0 through 14.4.4, you are vulnerable. Check your plugin version immediately.
How do I fix CVE-2025-47687 in StoreKeeper for WooCommerce?
Upgrade StoreKeeper for WooCommerce to version 14.4.5 or later. If immediate upgrade isn't possible, implement temporary workarounds like WAF rules or file type restrictions.
Is CVE-2025-47687 being actively exploited?
While no public PoCs exist yet, the vulnerability's severity and ease of exploitation make it a likely target for attackers. Monitor your systems closely.
Where can I find the official StoreKeeper for WooCommerce advisory for CVE-2025-47687?
Refer to the official StoreKeeper B.V. advisory and the NVD entry for CVE-2025-47687 for detailed information and updates.
Ist dein Projekt betroffen?
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.