Description
Unrestricted Upload of File with Dangerous Type vulnerability in StoreKeeper B.V. StoreKeeper for WooCommerce storekeeper-for-woocommerce allows Using Malicious Files.This issue affects StoreKeeper for WooCommerce: from n/a through <= 14.4.4.
Published: 2025-08-20
Score: 10 Critical
EPSS: 14.9% Moderate
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The StoreKeeper for WooCommerce plugin contains a flaw that allows an attacker to upload any file type without restriction. This arbitrary file upload can be exploited to place malicious files on the server, potentially altering site content or inserting files that may be processed in a dangerous way. The issue is identified as CWE-434.

Affected Systems

All releases of the StoreKeeper for WooCommerce plugin up to and including version 14.4.4 are affected. Any WordPress site that has installed a 14.4.4 or older version of this plugin is at risk.

Risk and Exploitability

With a CVSS score of 10, the flaw is classified as critical. The EPSS score of 15% indicates a moderate likelihood of exploitation. The vulnerability is not listed in CISA KEV. The attack vector is likely through the plugin’s upload interface, which could be accessed by users with sufficient rights or possibly by unauthenticated users if the upload endpoint is publicly exposed.

Generated by OpenCVE AI on June 18, 2026 at 06:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade StoreKeeper for WooCommerce to a version newer than 14.4.4.
  • If an immediate update is not possible, configure the web server or plugin to reject or block uploads of executable file types such as .php, .exe, .sh, and .bat.
  • Implement server‑side validation to ensure that only files with approved extensions and MIME types are accepted before processing.

Generated by OpenCVE AI on June 18, 2026 at 06:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-28144 Unrestricted Upload of File with Dangerous Type vulnerability in StoreKeeper B.V. StoreKeeper for WooCommerce allows Using Malicious Files. This issue affects StoreKeeper for WooCommerce: from n/a through 14.4.4.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}


Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Unrestricted Upload of File with Dangerous Type vulnerability in StoreKeeper B.V. StoreKeeper for WooCommerce allows Using Malicious Files. This issue affects StoreKeeper for WooCommerce: from n/a through 14.4.4. Unrestricted Upload of File with Dangerous Type vulnerability in StoreKeeper B.V. StoreKeeper for WooCommerce storekeeper-for-woocommerce allows Using Malicious Files.This issue affects StoreKeeper for WooCommerce: from n/a through <= 14.4.4.
References
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}


Thu, 21 Aug 2025 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Woocommerce
Woocommerce storekeeper
Woocommerce woocommerce
Wordpress
Wordpress wordpress
Vendors & Products Woocommerce
Woocommerce storekeeper
Woocommerce woocommerce
Wordpress
Wordpress wordpress

Wed, 20 Aug 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 20 Aug 2025 08:15:00 +0000

Type Values Removed Values Added
Description Unrestricted Upload of File with Dangerous Type vulnerability in StoreKeeper B.V. StoreKeeper for WooCommerce allows Using Malicious Files. This issue affects StoreKeeper for WooCommerce: from n/a through 14.4.4.
Title WordPress StoreKeeper for WooCommerce Plugin <= 14.4.4 - Arbitrary File Upload Vulnerability
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}


Subscriptions

Woocommerce Storekeeper Woocommerce
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:52.643Z

Reserved: 2025-05-15T18:01:53.424Z

Link: CVE-2025-48148

cve-icon Vulnrichment

Updated: 2025-08-20T14:07:43.657Z

cve-icon NVD

Status : Deferred

Published: 2025-08-20T08:15:30.460

Modified: 2026-06-17T09:29:14.203

Link: CVE-2025-48148

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T06:30:16Z

Weaknesses
  • CWE-434

    Unrestricted Upload of File with Dangerous Type