Platform
wordpress
Component
storekeeper-for-woocommerce
Fixed in
14.4.5
CVE-2025-47687 is an Arbitrary File Access vulnerability affecting StoreKeeper for WooCommerce, a plugin for WordPress e-commerce stores. This flaw allows attackers to upload files of any type, including malicious web shells, to the server, potentially leading to complete system compromise. The vulnerability impacts versions from 0.0 up to and including 14.4.4. A patch is available in version 14.4.5.
The primary impact of CVE-2025-47687 is the ability for an attacker to upload a web shell, effectively gaining remote code execution (RCE) on the web server hosting the WooCommerce store. This could allow an attacker to modify website content, steal sensitive customer data (including payment information), install malware, or pivot to other systems on the network. The blast radius extends beyond the WooCommerce store itself, potentially impacting any connected databases or internal resources. Successful exploitation could lead to defacement, data breaches, and significant financial losses. The unrestricted file upload bypasses standard security measures, making it a particularly dangerous vulnerability. The ease of uploading a web shell significantly lowers the barrier to entry for attackers, even those with limited technical skills.
CVE-2025-47687 was published on 2025-05-23. Its critical CVSS score (10) indicates a high probability of exploitation. While no public Proof-of-Concept (PoC) exploits have been publicly released as of this writing, the ease of exploitation makes it a likely target for opportunistic attackers. The vulnerability is not currently listed on KEV or EPSS, but its severity warrants close monitoring. Given the prevalence of WooCommerce stores and the ease of exploiting this vulnerability, active campaigns are possible.
Exploit Status
EPSS
0.41% (61% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-47687 is to immediately upgrade StoreKeeper for WooCommerce to version 14.4.5 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing temporary workarounds. These may include restricting file uploads to specific, safe file types using WordPress's built-in file handling capabilities, or implementing a Web Application Firewall (WAF) rule to block uploads of common web shell extensions (e.g., .php, .jsp, .asp). Carefully review and restrict the permissions of the upload directory to prevent the execution of uploaded files. After upgrading, verify the fix by attempting to upload a test file with a known malicious extension; the upload should be blocked or rejected.
Actualice el plugin StoreKeeper for WooCommerce a la última versión disponible para corregir la vulnerabilidad de carga de archivos arbitrarios. Verifique la página del plugin en WordPress.org para obtener la versión más reciente y las instrucciones de actualización. Además, implemente medidas de seguridad adicionales, como la restricción de tipos de archivos permitidos y la validación de entradas de usuario.
Vulnerability analysis and critical alerts directly to your inbox.
It's a critical Arbitrary File Access vulnerability in StoreKeeper for WooCommerce allowing attackers to upload malicious files, potentially leading to remote code execution.
If you're using StoreKeeper for WooCommerce versions 0.0 through 14.4.4, you are vulnerable. Check your plugin version immediately.
Upgrade StoreKeeper for WooCommerce to version 14.4.5 or later. If immediate upgrade isn't possible, implement temporary workarounds like WAF rules or file type restrictions.
While no public PoCs exist yet, the vulnerability's severity and ease of exploitation make it a likely target for attackers. Monitor your systems closely.
Refer to the official StoreKeeper B.V. advisory and the NVD entry for CVE-2025-47687 for detailed information and updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.