Impact
The StoreKeeper for WooCommerce plugin contains a flaw that allows an attacker to upload any file type without restriction. This arbitrary file upload can be exploited to place malicious files on the server, potentially altering site content or inserting files that may be processed in a dangerous way. The issue is identified as CWE-434.
Affected Systems
All releases of the StoreKeeper for WooCommerce plugin up to and including version 14.4.4 are affected. Any WordPress site that has installed a 14.4.4 or older version of this plugin is at risk.
Risk and Exploitability
With a CVSS score of 10, the flaw is classified as critical. The EPSS score of 15% indicates a moderate likelihood of exploitation. The vulnerability is not listed in CISA KEV. The attack vector is likely through the plugin’s upload interface, which could be accessed by users with sufficient rights or possibly by unauthenticated users if the upload endpoint is publicly exposed.
OpenCVE Enrichment
EUVD