Description
The StoreEngine – Powerful WordPress eCommerce Plugin for Payments, Memberships, Affiliates, Sales & More plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.5.0 via the file_download() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.
Published: 2025-09-17
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Authenticated arbitrary file download (Path Traversal)
Action: Apply Patch
AI Analysis

Impact

The vulnerability in the StoreEngine WordPress eCommerce plugin permits authenticated users with Subscriber level or higher to trigger a path traversal via the file_download() function. This flaw allows attackers to retrieve the contents of any file on the server that the web process can read. While the flaw does not directly trigger code execution, it leads to potential disclosure of sensitive configuration files or credentials, compromising the confidentiality of the site. The weakness is a straight path traversal issue (CWE-22).

Affected Systems

The affected product is the StoreEngine plugin developed by kodezen. All released versions up to and including 1.5.0 are impacted. The issue resides in the add‑on CSV export path and affects any WordPress installation that has this plugin active. No specific minor revisions are listed beyond the 1.5.0 boundary.

Risk and Exploitability

The CVSS rating of 6.5 indicates a moderate severity, and the EPSS probability is below 1%, meaning exploitation is expected to be uncommon. The flaw is not listed in the CISA KEV catalog, suggesting limited known exploitation. However, the attack vector requires only a legitimate subscriber account, which is a common role in eCommerce sites. If the site stores sensitive user data or system files, the potential impact of data exposure is significant, especially in a broader supply‑chain context.

Generated by OpenCVE AI on April 22, 2026 at 14:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the StoreEngine plugin to a version newer than 1.5.0.
  • If immediate patching is not possible, restrict the plugin’s file_download feature to admin users only, or remove the capability from all lower‑privilege accounts such as Subscribers.
  • Configure web‑server access controls or use a reverse proxy to block path traversal requests to sensitive directories, ensuring that the plugin cannot read beyond its intended export directory.

Generated by OpenCVE AI on April 22, 2026 at 14:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-29695 The StoreEngine – Powerful WordPress eCommerce Plugin for Payments, Memberships, Affiliates, Sales & More plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.5.0 via the file_download() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.
History

Wed, 17 Sep 2025 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 17 Sep 2025 06:45:00 +0000

Type Values Removed Values Added
Description The StoreEngine – Powerful WordPress eCommerce Plugin for Payments, Memberships, Affiliates, Sales & More plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.5.0 via the file_download() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.
Title StoreEngine – Powerful WordPress eCommerce Plugin for Payments, Memberships, Affiliates, Sales & More <= 1.5.0 - Authenticated (Subscriber+) Arbitrary File Download
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:34:03.186Z

Reserved: 2025-08-19T20:03:22.388Z

Link: CVE-2025-9215

cve-icon Vulnrichment

Updated: 2025-09-17T12:51:44.727Z

cve-icon NVD

Status : Deferred

Published: 2025-09-17T07:15:42.280

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-9215

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T14:30:18Z

Weaknesses