Scan free
HIGHCVE-2025-39568CVSS 7.5

CVE-2025-39568: Arbitrary File Access in StoreContrl Woocommerce

Platform

wordpress

Component

storecontrl-wp-connection

Fixed in

4.1.4

AI Confidence: highNVDEPSS 0.5%Reviewed: May 2026
View on NVD
Save

CVE-2025-39568 describes an Arbitrary File Access vulnerability discovered in Arture B.V.'s StoreContrl Woocommerce plugin. This vulnerability allows attackers to potentially read sensitive files on the server by manipulating file paths. The vulnerability impacts versions from 0.0.0 up to and including 4.1.3. A patch has been released in version 4.1.4.

WordPress

Detect this CVE in your project

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan free

Impact and Attack Scenarios

The Arbitrary File Access vulnerability in StoreContrl Woocommerce allows an attacker to bypass intended access controls and read arbitrary files on the server. This could include configuration files containing database credentials, private keys, or other sensitive information. Successful exploitation could lead to complete compromise of the WordPress site and potentially the underlying server. While no specific real-world exploitation has been publicly reported for this vulnerability, path traversal vulnerabilities are frequently exploited, and this one's ease of exploitation makes it a high-priority concern.

Exploitation Context

CVE-2025-39568 was publicly disclosed on April 17, 2025. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are likely to emerge given the ease of exploitation associated with path traversal vulnerabilities. Monitor security advisories and vulnerability databases for updates.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh

EPSS

0.50% (66% percentile)

CISA SSVC

Exploitationnone
Automatableyes
Technical Impactpartial

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N7.5HIGHAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredNoneAuthentication level needed to attackUser InteractionNoneWhether a victim must take actionScopeUnchangedImpact beyond the vulnerable componentConfidentialityHighRisk of sensitive data exposureIntegrityNoneRisk of unauthorized data modificationAvailabilityNoneRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
None — unauthenticated. No login or credentials needed to exploit.
User Interaction
None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope
Unchanged — impact is limited to the vulnerable component itself.
Confidentiality
High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
Integrity
None — no integrity impact. Attacker cannot modify data.
Availability
None — no availability impact. Service remains fully operational.

Affected Software

Componentstorecontrl-wp-connection
VendorArture B.V.
Affected rangeFixed in
0.0.0 – 4.1.34.1.4

Package Information

Active installs
60
Plugin rating
5.0
Requires WordPress
6.6.0+
Compatible up to
6.9.4
Requires PHP
8.0+
Homepage

Weakness Classification (CWE)

CWE-22

Timeline

  1. Reserved
  2. Published
  3. Modified
  4. EPSS updated

Mitigation and Workarounds

The primary mitigation for CVE-2025-39568 is to immediately upgrade StoreContrl Woocommerce to version 4.1.4 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a Web Application Firewall (WAF) rule to block requests containing path traversal sequences (e.g., ../). Restrict file permissions on the WordPress directory to minimize potential damage. Monitor WordPress access logs for suspicious file access attempts, particularly those involving directory traversal patterns.

How to fix

Actualice el plugin StoreContrl Woocommerce a la última versión disponible para mitigar la vulnerabilidad de recorrido de directorio.  Verifique la página del plugin en WordPress.org para obtener la versión más reciente y las instrucciones de actualización.  Considere implementar medidas de seguridad adicionales, como restringir el acceso a archivos sensibles y validar las entradas del usuario.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2025-39568 — Arbitrary File Access in StoreContrl Woocommerce?

CVE-2025-39568 is a HIGH severity vulnerability allowing attackers to read arbitrary files on a WordPress server via path traversal in the StoreContrl Woocommerce plugin.

Am I affected by CVE-2025-39568 in StoreContrl Woocommerce?

You are affected if you are using StoreContrl Woocommerce versions 0.0.0 through 4.1.3. Upgrade to 4.1.4 or later to resolve the issue.

How do I fix CVE-2025-39568 in StoreContrl Woocommerce?

Upgrade StoreContrl Woocommerce to version 4.1.4 or later. As a temporary workaround, implement a WAF rule to block path traversal attempts.

Is CVE-2025-39568 being actively exploited?

While no active exploitation has been publicly confirmed, the ease of exploitation makes it a likely target. Monitor your systems for suspicious activity.

Where can I find the official StoreContrl advisory for CVE-2025-39568?

Refer to the StoreContrl website and WordPress plugin repository for the latest advisory and update information.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs