無料スキャン
分析待ちCVE-2025-48148

CVE-2025-48148: Arbitrary File Access in StoreKeeper for WooCommerce

プラットフォーム

wordpress

コンポーネント

storekeeper-for-woocommerce

修正版

14.4.5

NVDで見る
保存

CVE-2025-48148 describes an Arbitrary File Access vulnerability discovered in StoreKeeper for WooCommerce. This flaw allows attackers to upload files of any type, bypassing security restrictions and potentially leading to severe consequences, including remote code execution. The vulnerability affects versions from 0 through 14.4.4, and a patch is available in version 14.4.5.

WordPress

このCVEがあなたのプロジェクトに影響するか確認

依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。

無料スキャン

影響と攻撃シナリオ翻訳中…

The Arbitrary File Access vulnerability in StoreKeeper for WooCommerce poses a significant threat. An attacker could upload malicious files, such as web shells or backdoors, directly to the server. This could grant them unauthorized access, allowing them to execute arbitrary code, steal sensitive data (customer information, order details, payment information), modify website content, or even take complete control of the WooCommerce store. The ability to upload any file type circumvents typical file type validation, making exploitation easier. Successful exploitation could lead to a complete compromise of the e-commerce platform and associated data, resulting in significant financial and reputational damage.

悪用の状況翻訳中…

CVE-2025-48148 has been published on 2025-08-20. The vulnerability's CRITICAL CVSS score (10) indicates a high probability of exploitation. Public proof-of-concept (POC) code is likely to emerge, increasing the risk. Monitor security advisories and threat intelligence feeds for any signs of active exploitation campaigns targeting StoreKeeper for WooCommerce installations. The unrestricted file upload nature of this vulnerability makes it a prime target for automated scanning and exploitation.

脅威インテリジェンス

エクスプロイト状況

概念実証不明
CISA KEVNO
インターネット露出

EPSS

0.28% (51% パーセンタイル)

CISA SSVC

悪用状況none
自動化可能yes
技術的影響total

CVSS ベクトル

脅威インテリジェンス· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H10.0CRITICALAttack VectorNetwork攻撃者がターゲットに到達する方法Attack ComplexityLow悪用に必要な条件Privileges RequiredNone攻撃に必要な認証レベルUser InteractionNone被害者の操作が必要かどうかScopeChanged影響コンポーネント外への波及ConfidentialityHigh機密データ漏洩のリスクIntegrityHigh不正データ改ざんのリスクAvailabilityHighサービス障害のリスクnextguardhq.com · CVSS v3.1 基本スコア
これらのメトリクスの意味は?
Attack Vector
ネットワーク — インターネット経由でリモートから悪用可能。物理・ローカルアクセス不要。
Attack Complexity
低 — 特別な条件不要。安定して悪用可能。
Privileges Required
なし — 認証不要。資格情報なしで悪用可能。
User Interaction
なし — 自動かつ無音の攻撃。被害者は何もしない。
Scope
変化あり — 攻撃が脆弱なコンポーネントを超えて他のシステムに波及可能。
Confidentiality
高 — 機密性の完全喪失。全データが読み取り可能。
Integrity
高 — 任意のデータの書き込み・変更・削除が可能。
Availability
高 — 完全なクラッシュまたはリソース枯渇。完全なサービス拒否。

影響を受けるソフトウェア

コンポーネントstorekeeper-for-woocommerce
ベンダーStoreKeeper B.V.
最小バージョン0
最大バージョン14.4.4
修正版14.4.5

弱点分類 (CWE)

CWE-434

タイムライン

  1. 予約済み
  2. 公開日
  3. 更新日
  4. EPSS 更新日

緩和策と回避策翻訳中…

The primary mitigation for CVE-2025-48148 is to immediately upgrade StoreKeeper for WooCommerce to version 14.4.5 or later. If upgrading is not immediately possible due to compatibility issues or testing requirements, consider implementing temporary workarounds. These may include strict file type validation on the server-side (beyond what StoreKeeper provides), restricting file upload directories, and implementing a Web Application Firewall (WAF) with rules to block suspicious file uploads. Regularly review uploaded files for any anomalies. After upgrading, confirm the fix by attempting to upload a file with a known dangerous extension (e.g., .php) and verifying that the upload is blocked.

修正方法翻訳中…

Actualice el plugin StoreKeeper for WooCommerce a la última versión disponible para solucionar la vulnerabilidad de carga arbitraria de archivos.  Verifique las actualizaciones disponibles en el panel de administración de WordPress o en el repositorio oficial de plugins de WordPress.  Asegúrese de realizar una copia de seguridad completa del sitio antes de actualizar cualquier plugin.

よくある質問翻訳中…

What is CVE-2025-48148 — Arbitrary File Access in StoreKeeper for WooCommerce?

CVE-2025-48148 is a critical vulnerability allowing attackers to upload any file type to a StoreKeeper for WooCommerce store, potentially leading to remote code execution. It affects versions 0–14.4.4 and has a CVSS score of 10.

Am I affected by CVE-2025-48148 in StoreKeeper for WooCommerce?

If you are using StoreKeeper for WooCommerce versions 0 through 14.4.4, you are affected by this vulnerability. Immediately check your version and upgrade if necessary.

How do I fix CVE-2025-48148 in StoreKeeper for WooCommerce?

The recommended fix is to upgrade StoreKeeper for WooCommerce to version 14.4.5 or later. If immediate upgrade is not possible, implement temporary workarounds like strict file type validation and WAF rules.

Is CVE-2025-48148 being actively exploited?

While no active exploitation has been publicly confirmed, the vulnerability's CRITICAL severity and ease of exploitation suggest a high probability of exploitation. Continuous monitoring is crucial.

Where can I find the official StoreKeeper advisory for CVE-2025-48148?

Refer to the official StoreKeeper for WooCommerce website and security advisories for the latest information and updates regarding CVE-2025-48148: [https://storekeeper.github.io/]

あなたのプロジェクトは影響を受けていますか?

依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。

無料スキャンCVEを検索
WordPress

このCVEがあなたのプロジェクトに影響するか確認

依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。

無料スキャン
scanZone.liveBadgescanZone.eyebrow

WordPressプロジェクトを今すぐスキャン — アカウント不要

Upload any manifest (composer.lock, package-lock.json, WordPress plugin list…) or paste your component list. You get a vulnerability report instantly. Uploading a file is just the start: with an account you get continuous monitoring, Slack/email alerts, multi-project and white-label reports.

手動スキャンSlack/メールアラートContinuous monitoringホワイトラベルレポート

依存関係ファイルをドラッグ&ドロップ

composer.lock、package-lock.json、requirements.txt、Gemfile.lock、pubspec.lock、Dockerfile...