Description
Unrestricted Upload of File with Dangerous Type vulnerability in StoreKeeper B.V. StoreKeeper for WooCommerce storekeeper-for-woocommerce allows Upload a Web Shell to a Web Server.This issue affects StoreKeeper for WooCommerce: from n/a through <= 14.4.4.
Published: 2025-05-23
Score: 10 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability allows an attacker to upload any file, including web shells, to the server without restriction. By doing so, the attacker can execute arbitrary code on the web server, potentially gaining full control of the WordPress site and its underlying infrastructure. The weakness is a classic unrestricted file upload flaw, identified as CWE-434, which directly compromises confidentiality, integrity, and availability of the affected site.

Affected Systems

StoreKeeper B.V.'s StoreKeeper for WooCommerce plugin is vulnerable in all versions up to and including 14.4.4. The vulnerability applies from the earliest release through the specified upper bound, meaning any site running a version 14.4.4 or older is at risk.

Risk and Exploitability

The vulnerability carries a CVSS score of 10, reflecting a very high severity. The EPSS score of less than 1% indicates that active exploitation is currently unlikely, but the potential impact remains extreme. The attack is likely to occur via the web upload interface, requiring only web access to the plugin’s upload endpoint. Because the vulnerability is not listed in the CISA KEV catalog, no public exploits are known, yet the sheer ease of uploading a web shell warrants urgent mitigation.

Generated by OpenCVE AI on April 30, 2026 at 12:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the StoreKeeper for WooCommerce plugin to version 14.4.5 or later, which removes the unrestricted upload vulnerability.
  • Configure the plugin or server to restrict upload MIME types and file extensions to a whitelist of trusted types.
  • Block or limit access to the upload endpoint using firewall rules or .htaccess restrictions, and monitor server directories for unexpected executable files.

Generated by OpenCVE AI on April 30, 2026 at 12:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-28120 Unrestricted Upload of File with Dangerous Type vulnerability in StoreKeeper B.V. StoreKeeper for WooCommerce allows Upload a Web Shell to a Web Server. This issue affects StoreKeeper for WooCommerce: from n/a through 14.4.4.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Unrestricted Upload of File with Dangerous Type vulnerability in StoreKeeper B.V. StoreKeeper for WooCommerce allows Upload a Web Shell to a Web Server. This issue affects StoreKeeper for WooCommerce: from n/a through 14.4.4. Unrestricted Upload of File with Dangerous Type vulnerability in StoreKeeper B.V. StoreKeeper for WooCommerce storekeeper-for-woocommerce allows Upload a Web Shell to a Web Server.This issue affects StoreKeeper for WooCommerce: from n/a through <= 14.4.4.
Title WordPress StoreKeeper for WooCommerce <= 14.4.4 - Arbitrary File Upload Vulnerability WordPress StoreKeeper for WooCommerce plugin <= 14.4.4 - Arbitrary File Upload Vulnerability
References
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}

Tue, 27 May 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 23 May 2025 13:00:00 +0000

Type Values Removed Values Added
Description Unrestricted Upload of File with Dangerous Type vulnerability in StoreKeeper B.V. StoreKeeper for WooCommerce allows Upload a Web Shell to a Web Server. This issue affects StoreKeeper for WooCommerce: from n/a through 14.4.4.
Title WordPress StoreKeeper for WooCommerce <= 14.4.4 - Arbitrary File Upload Vulnerability
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Woocommerce Storekeeper
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:49.681Z

Reserved: 2025-05-07T10:45:47.044Z

Link: CVE-2025-47687

cve-icon Vulnrichment

Updated: 2025-05-27T14:26:11.916Z

cve-icon NVD

Status : Deferred

Published: 2025-05-23T13:15:43.393

Modified: 2026-04-23T15:30:44.820

Link: CVE-2025-47687

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T12:30:16Z

Weaknesses