Plataforma
wordpress
Componente
storeengine
Corrigido em
1.5.1
CVE-2025-9215 describes an Arbitrary File Access vulnerability discovered in the StoreEngine WordPress plugin. This vulnerability allows authenticated attackers, with Subscriber-level access or higher, to read arbitrary files on the server. The vulnerability affects versions 1.0.0 through 1.5.0 of the plugin. A patch is expected from the vendor.
An attacker exploiting this vulnerability could potentially gain access to sensitive information stored on the web server. This could include configuration files, database credentials, source code, or other confidential data. The ability to read arbitrary files significantly expands the attack surface, allowing attackers to map the file system and identify valuable targets. While requiring authentication (Subscriber level), the widespread use of WordPress and the potential for compromised user accounts makes this a concerning vulnerability. The impact is amplified if the server hosts other sensitive applications or data.
This vulnerability was publicly disclosed on 2025-09-17. There are currently no known public exploits or active campaigns targeting this vulnerability. It is not listed on the CISA KEV catalog at this time. The relatively low CVSS score suggests a moderate probability of exploitation, but the ease of exploitation (requiring only Subscriber access) warrants attention.
WordPress websites utilizing the StoreEngine plugin, particularly those with a large number of users with Subscriber or higher roles, are at risk. Shared hosting environments where users have limited control over server configurations are also at increased risk, as are websites with outdated plugin versions.
• wordpress / composer / npm:
grep -r "file_download()" /var/www/html/wp-content/plugins/storeengine/• generic web:
curl -I 'http://your-wordpress-site.com/wp-content/plugins/storeengine/wp-admin/admin.php?page=storeengine&file=../../../../etc/passwd' # Check for file disclosuredisclosure
Status do Exploit
EPSS
0.03% (percentil 7%)
CISA SSVC
Vetor CVSS
The primary mitigation is to upgrade to a patched version of the StoreEngine plugin as soon as it becomes available. In the interim, consider implementing a Web Application Firewall (WAF) rule to block requests containing path traversal sequences (e.g., ../). Additionally, restrict file permissions on the server to minimize the potential damage from a successful exploit. Regularly review WordPress user roles and permissions to ensure least privilege access. Monitor server logs for suspicious file access attempts.
Actualice el plugin StoreEngine a la última versión disponible. La vulnerabilidad de Path Traversal ha sido abordada en versiones posteriores a la 1.5.0. Asegúrese de realizar una copia de seguridad completa de su sitio web antes de actualizar.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2025-9215 is a vulnerability in the StoreEngine WordPress plugin allowing authenticated attackers to read arbitrary files on the server, potentially exposing sensitive data.
You are affected if your WordPress site uses the StoreEngine plugin in versions 1.0.0 through 1.5.0. Check your plugin versions and upgrade as soon as a patch is available.
Upgrade to the latest version of the StoreEngine plugin as soon as a patch is released. In the meantime, implement WAF rules to block path traversal attempts.
As of the current disclosure date, there are no confirmed reports of active exploitation, but the ease of exploitation warrants vigilance.
Check the StoreEngine plugin website and WordPress plugin repository for updates and security advisories related to CVE-2025-9215.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.