CVE-2025-9216
Unknown
Unknown - Not Provided
BaseFortify
Publication date: 2025-09-17
Last updated on: 2025-09-17
Assigner: Wordfence
Description
Description
The StoreEngine β Powerful WordPress eCommerce Plugin for Payments, Memberships, Affiliates, Sales & More plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the import() function in all versions up to, and including, 1.5.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordfence | storeengine | 1.4.0 |
| wordfence | storeengine | 1.5.1 |
| wordfence | storeengine | * |
Helpful Resources
Exploitability
CWE
KEV
| CWE ID | Description |
|---|---|
| CWE-434 | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the StoreEngine WordPress eCommerce plugin, where the import() function lacks proper file type validation. This allows authenticated users with Subscriber-level access or higher to upload arbitrary files to the server, potentially enabling remote code execution.
How can this vulnerability impact me? :
An attacker with at least Subscriber-level access can upload malicious files to the server, which may lead to remote code execution. This can compromise the website, allowing unauthorized control, data theft, or further attacks.
Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70