Platform
wordpress
Component
storeengine
Fixed in
1.5.1
CVE-2025-9215 describes an Arbitrary File Access vulnerability discovered in the StoreEngine WordPress plugin. This vulnerability allows authenticated attackers, with Subscriber-level access or higher, to read arbitrary files on the server. The vulnerability affects versions 1.0.0 through 1.5.0 of the plugin. A patch is expected from the vendor.
An attacker exploiting this vulnerability could potentially gain access to sensitive information stored on the web server. This could include configuration files, database credentials, source code, or other confidential data. The ability to read arbitrary files significantly expands the attack surface, allowing attackers to map the file system and identify valuable targets. While requiring authentication (Subscriber level), the widespread use of WordPress and the potential for compromised user accounts makes this a concerning vulnerability. The impact is amplified if the server hosts other sensitive applications or data.
This vulnerability was publicly disclosed on 2025-09-17. There are currently no known public exploits or active campaigns targeting this vulnerability. It is not listed on the CISA KEV catalog at this time. The relatively low CVSS score suggests a moderate probability of exploitation, but the ease of exploitation (requiring only Subscriber access) warrants attention.
Exploit Status
EPSS
0.03% (7% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to upgrade to a patched version of the StoreEngine plugin as soon as it becomes available. In the interim, consider implementing a Web Application Firewall (WAF) rule to block requests containing path traversal sequences (e.g., ../). Additionally, restrict file permissions on the server to minimize the potential damage from a successful exploit. Regularly review WordPress user roles and permissions to ensure least privilege access. Monitor server logs for suspicious file access attempts.
Update the StoreEngine plugin to the latest available version. The Path Traversal vulnerability has been addressed in versions later than 1.5.0. Ensure you perform a full backup of your website before updating.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-9215 is a vulnerability in the StoreEngine WordPress plugin allowing authenticated attackers to read arbitrary files on the server, potentially exposing sensitive data.
You are affected if your WordPress site uses the StoreEngine plugin in versions 1.0.0 through 1.5.0. Check your plugin versions and upgrade as soon as a patch is available.
Upgrade to the latest version of the StoreEngine plugin as soon as a patch is released. In the meantime, implement WAF rules to block path traversal attempts.
As of the current disclosure date, there are no confirmed reports of active exploitation, but the ease of exploitation warrants vigilance.
Check the StoreEngine plugin website and WordPress plugin repository for updates and security advisories related to CVE-2025-9215.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.