Plattform
wordpress
Komponente
storecontrl-wp-connection
Behoben in
4.1.4
CVE-2025-39568 describes an Arbitrary File Access vulnerability discovered in Arture B.V.'s StoreContrl Woocommerce plugin. This vulnerability allows attackers to potentially read sensitive files on the server by manipulating file paths. The vulnerability impacts versions from 0.0.0 up to and including 4.1.3. A patch has been released in version 4.1.4.
The Arbitrary File Access vulnerability allows an attacker to bypass intended security restrictions and access files outside of the intended directory. In the context of StoreContrl Woocommerce, this could allow an attacker to read configuration files, database credentials, or even source code. Successful exploitation could lead to the exposure of sensitive information, potentially enabling further attacks such as privilege escalation or data theft. The impact is amplified if the server hosts other sensitive applications or data.
CVE-2025-39568 was publicly disclosed on 2025-04-17. While no public proof-of-concept (POC) has been released at the time of writing, the path traversal nature of the vulnerability makes it relatively easy to exploit. The EPSS score is likely medium, indicating a moderate probability of exploitation given the ease of exploitation and potential impact. Monitor security advisories and threat intelligence feeds for any signs of active exploitation.
WordPress websites using the StoreContrl Woocommerce plugin, particularly those running older versions (0.0.0–4.1.3), are at risk. Shared hosting environments where WordPress installations have limited access controls are especially vulnerable, as an attacker could potentially exploit this vulnerability to gain access to other websites on the same server.
• wordpress / composer / npm:
grep -r "../" /var/www/html/wp-content/plugins/storecontrl-wp-connection/• generic web:
curl -I https://your-wordpress-site.com/wp-content/plugins/storecontrl-wp-connection/../../../../etc/passwd | head -n 1disclosure
Exploit-Status
EPSS
0.50% (66% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-39568 is to immediately upgrade StoreContrl Woocommerce to version 4.1.4 or later. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to block requests containing path traversal sequences (e.g., ../). Additionally, restrict file permissions on the server to minimize the potential damage from a successful exploit. Regularly review file access logs for suspicious activity.
Actualice el plugin StoreContrl Woocommerce a la última versión disponible para mitigar la vulnerabilidad de recorrido de directorio. Verifique la página del plugin en WordPress.org para obtener la versión más reciente y las instrucciones de actualización. Considere implementar medidas de seguridad adicionales, como restringir el acceso a archivos sensibles y validar las entradas del usuario.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-39568 is a HIGH severity vulnerability allowing attackers to read arbitrary files on a WordPress server via path traversal in the StoreContrl Woocommerce plugin.
You are affected if you are using StoreContrl Woocommerce versions 0.0.0 through 4.1.3. Upgrade to 4.1.4 or later to resolve the issue.
Upgrade StoreContrl Woocommerce to version 4.1.4 or later. As a temporary workaround, implement a WAF rule to block path traversal attempts.
While no active exploitation has been publicly confirmed, the ease of exploitation makes it a likely target. Monitor your systems for suspicious activity.
Refer to the StoreContrl website and WordPress plugin repository for the latest advisory and update information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.