Description
Unrestricted Upload of File with Dangerous Type vulnerability in StoreKeeper B.V. StoreKeeper for WooCommerce storekeeper-for-woocommerce allows Using Malicious Files.This issue affects StoreKeeper for WooCommerce: from n/a through <= 14.4.4.
Published: 2025-08-20
Score: 10 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability permits an attacker to upload files of any type through the StoreKeeper for WooCommerce plugin. This unrestricted file upload can be used to place malicious code on the server, leading to compromise of the website’s confidentiality, integrity, and availability. The weakness corresponds to CWE‑434, a classic file upload flaw that can easily evolve into remote code execution if the uploaded payload is executable.

Affected Systems

The affected entity is StoreKeeper B.V.’s StoreKeeper for WooCommerce plugin. All releases from the start of support up through version 14.4.4 are vulnerable; any installation of a version <= 14.4.4 is at risk.

Risk and Exploitability

The CVSS score of 10.0 marks this as a critical issue. The EPSS score of less than 1% indicates a very low but non‑zero probability of exploitation in the wild, and the vulnerability has not yet appeared in the CISA KEV catalog. Based on the description, the likely attack vector is exploitation of the plugin’s upload interface, which may be reachable by authenticated administrators or possibly by unauthenticated users if the upload endpoint is publicly exposed.

Generated by OpenCVE AI on April 30, 2026 at 08:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest StoreKeeper for WooCommerce patch (any release newer than 14.4.4).
  • If the patch cannot be applied immediately, configure the web server or plugin to reject or sandbox uploads of all executable MIME types and extensions (e.g., .php, .exe, .sh).
  • Implement server‑side validation to confirm that uploaded files match an allowed whitelist of extensions and MIME types before accepting them.

Generated by OpenCVE AI on April 30, 2026 at 08:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-28144 Unrestricted Upload of File with Dangerous Type vulnerability in StoreKeeper B.V. StoreKeeper for WooCommerce allows Using Malicious Files. This issue affects StoreKeeper for WooCommerce: from n/a through 14.4.4.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Unrestricted Upload of File with Dangerous Type vulnerability in StoreKeeper B.V. StoreKeeper for WooCommerce allows Using Malicious Files. This issue affects StoreKeeper for WooCommerce: from n/a through 14.4.4. Unrestricted Upload of File with Dangerous Type vulnerability in StoreKeeper B.V. StoreKeeper for WooCommerce storekeeper-for-woocommerce allows Using Malicious Files.This issue affects StoreKeeper for WooCommerce: from n/a through <= 14.4.4.
References
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}

Thu, 21 Aug 2025 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Woocommerce
Woocommerce storekeeper
Woocommerce woocommerce
Wordpress
Wordpress wordpress
Vendors & Products Woocommerce
Woocommerce storekeeper
Woocommerce woocommerce
Wordpress
Wordpress wordpress

Wed, 20 Aug 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 20 Aug 2025 08:15:00 +0000

Type Values Removed Values Added
Description Unrestricted Upload of File with Dangerous Type vulnerability in StoreKeeper B.V. StoreKeeper for WooCommerce allows Using Malicious Files. This issue affects StoreKeeper for WooCommerce: from n/a through 14.4.4.
Title WordPress StoreKeeper for WooCommerce Plugin <= 14.4.4 - Arbitrary File Upload Vulnerability
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Woocommerce Storekeeper Woocommerce
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:52.643Z

Reserved: 2025-05-15T18:01:53.424Z

Link: CVE-2025-48148

cve-icon Vulnrichment

Updated: 2025-08-20T14:07:43.657Z

cve-icon NVD

Status : Deferred

Published: 2025-08-20T08:15:30.460

Modified: 2026-04-23T15:30:53.120

Link: CVE-2025-48148

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T08:30:06Z

Weaknesses