Adorned by insufficiently restricted path handling, the StoreContrl Woocommerce plugin permits a path traversal exploit that can be used to download any file on the server. The flaw allows an attacker to craft URLs that resolve outside the intended download directory, bypassing the plugin’s security controls. Successfully exploiting this vulnerability could give an adversary access to configuration files, sensitive data, or credentials stored in non‑public files, thereby compromising confidentiality and potentially providing a foothold for further attacks.

The plugin, developed by Arture B.V., is distributed under the name StoreContrl Woocommerce – StoreContrl WP Connection. All releases from the initial version up through and including version 4.1.3 are vulnerable. If your WordPress site uses any of these versions, it is affected and should be patched immediately.

Scored with a CVSS 7.5 severity, the vulnerability carries a moderate exploitation probability reflected in an EPSS below 1%, and is not yet listed in CISA’s KEV catalog. The likely attack vector is remote, as the vulnerability is triggered through crafted requests to the WordPress site’s download endpoint. Although the low EPSS score suggests exploitation is not widespread at present, the absence of a KEV listing does not eliminate risk, especially for accounts with privileged access to the plugin’s configuration.